Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 22:14
Behavioral task
behavioral1
Sample
017467335df194176bc1b39851b55970_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
017467335df194176bc1b39851b55970_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
017467335df194176bc1b39851b55970_NeikiAnalytics.exe
-
Size
300KB
-
MD5
017467335df194176bc1b39851b55970
-
SHA1
bf002946e5d0a206a6b2ff8e31ab187daaa33985
-
SHA256
9fe500bb17dc286aa7fbda0e3b161215452d6a2e28bea6397b15b38a12ac4de8
-
SHA512
db5ec10fef957dd8a86f8a7d2219079df34688cfe9bdaa2be3f9c7ecac21e26c51debc64bc3765bbd197b1b084d582b7a4b032df8c6788125bc58f970fe598a1
-
SSDEEP
6144:1W+8dV2GqufhcmoZjwszeXmr8SeNpgdyuH1l+/Wd:k+6pymCjb87g4/c
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qfljkp32.exeIfdlng32.exeIediin32.exeImbjcpnn.exeQqdbiopj.exeMfokinhf.exeAkfkbd32.exeDahkok32.exeIhglhp32.exeNefdpjkl.exeBqmpdioa.exeDifqji32.exeFjjpjgjj.exeIeajkfmd.exeMbchni32.exeJplfkjbd.exePkoicb32.exeGjgiidkl.exeAnogijnb.exeLjldnhid.exeEbnabb32.exeJbpdeogo.exeHakkgc32.exeGqlhkofn.exeCmhjdiap.exeKllnhg32.exeBiaign32.exePcljmdmj.exePnbojmmp.exeMblbnj32.exeAejlnmkm.exeBkbaii32.exeGncldi32.exeLhknaf32.exeBacihmoo.exeEemnnn32.exeObgkpb32.exeGnaooi32.exeHpbdmo32.exeGhofam32.exeIbkmchbh.exeJjfkmdlg.exeEcbhdi32.exeFqalaa32.exeJikeeh32.exeFhbpkh32.exeLbcbjlmb.exeNjfjnpgp.exeAgolnbok.exeNjeccjcd.exeDeakjjbk.exeKdphjm32.exeMgjnhaco.exeJoidhh32.exeQbnphngk.exeMmogmjmn.exeIedfqeka.exeOlebgfao.exePhcilf32.exeImaapa32.exeGmbfggdo.exeNagbgl32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfljkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iediin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbjcpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akfkbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihglhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefdpjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmpdioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjpjgjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieajkfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbchni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplfkjbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjgiidkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqlhkofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhjdiap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biaign32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbojmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblbnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejlnmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacihmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbdmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghofam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibkmchbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecbhdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqalaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikeeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbcbjlmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agolnbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deakjjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjnhaco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbnphngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfljkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcilf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imaapa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagbgl32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Qqdbiopj.exe family_berbew \Windows\SysWOW64\Akncimmh.exe family_berbew \Windows\SysWOW64\Abmdafpp.exe family_berbew \Windows\SysWOW64\Acqnnndl.exe family_berbew \Windows\SysWOW64\Bccjdnbi.exe family_berbew \Windows\SysWOW64\Bplhnoej.exe family_berbew \Windows\SysWOW64\Bbmapj32.exe family_berbew C:\Windows\SysWOW64\Cbajkiof.exe family_berbew \Windows\SysWOW64\Cjmopkla.exe family_berbew \Windows\SysWOW64\Chqoipkk.exe family_berbew \Windows\SysWOW64\Cdjmcpnl.exe family_berbew \Windows\SysWOW64\Dlgnmb32.exe family_berbew \Windows\SysWOW64\Dljkcb32.exe family_berbew \Windows\SysWOW64\Dpgcip32.exe family_berbew C:\Windows\SysWOW64\Diphbfdi.exe family_berbew \Windows\SysWOW64\Ejkkfjkj.exe family_berbew C:\Windows\SysWOW64\Ekjgpm32.exe family_berbew C:\Windows\SysWOW64\Ecfldoph.exe family_berbew C:\Windows\SysWOW64\Fheabelm.exe family_berbew C:\Windows\SysWOW64\Fhgnge32.exe family_berbew C:\Windows\SysWOW64\Fdnolfon.exe family_berbew C:\Windows\SysWOW64\Ffmkfifa.exe family_berbew C:\Windows\SysWOW64\Fdbhge32.exe family_berbew C:\Windows\SysWOW64\Gmbfggdo.exe family_berbew C:\Windows\SysWOW64\Gmpjagfa.exe family_berbew behavioral1/memory/2324-328-0x0000000000230000-0x0000000000272000-memory.dmp family_berbew C:\Windows\SysWOW64\Hebdfind.exe family_berbew behavioral1/memory/2324-327-0x0000000000230000-0x0000000000272000-memory.dmp family_berbew C:\Windows\SysWOW64\Gfmgelil.exe family_berbew C:\Windows\SysWOW64\Hnmeen32.exe family_berbew C:\Windows\SysWOW64\Iphecepe.exe family_berbew C:\Windows\SysWOW64\Ipjahd32.exe family_berbew C:\Windows\SysWOW64\Ifffkncm.exe family_berbew C:\Windows\SysWOW64\Jbpdeogo.exe family_berbew C:\Windows\SysWOW64\Jniefm32.exe family_berbew C:\Windows\SysWOW64\Jnkakl32.exe family_berbew C:\Windows\SysWOW64\Jgfcja32.exe family_berbew C:\Windows\SysWOW64\Klehgh32.exe family_berbew C:\Windows\SysWOW64\Khlili32.exe family_berbew behavioral1/memory/2716-459-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Kfpifm32.exe family_berbew C:\Windows\SysWOW64\Kllnhg32.exe family_berbew C:\Windows\SysWOW64\Kgfoie32.exe family_berbew C:\Windows\SysWOW64\Lqqpgj32.exe family_berbew C:\Windows\SysWOW64\Lneaqn32.exe family_berbew C:\Windows\SysWOW64\Ljkaeo32.exe family_berbew C:\Windows\SysWOW64\Lgoboc32.exe family_berbew C:\Windows\SysWOW64\Lqhfhigj.exe family_berbew C:\Windows\SysWOW64\Mmogmjmn.exe family_berbew C:\Windows\SysWOW64\Mfglep32.exe family_berbew C:\Windows\SysWOW64\Mpopnejo.exe family_berbew C:\Windows\SysWOW64\Mihdgkpp.exe family_berbew C:\Windows\SysWOW64\Mgmahg32.exe family_berbew C:\Windows\SysWOW64\Mhonngce.exe family_berbew C:\Windows\SysWOW64\Nagbgl32.exe family_berbew C:\Windows\SysWOW64\Nmnclmoj.exe family_berbew C:\Windows\SysWOW64\Niedqnen.exe family_berbew C:\Windows\SysWOW64\Nigafnck.exe family_berbew C:\Windows\SysWOW64\Nbpeoc32.exe family_berbew C:\Windows\SysWOW64\Npdfhhhe.exe family_berbew C:\Windows\SysWOW64\Olkfmi32.exe family_berbew C:\Windows\SysWOW64\Obgkpb32.exe family_berbew C:\Windows\SysWOW64\Ohcdhi32.exe family_berbew C:\Windows\SysWOW64\Odjdmjgo.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Qqdbiopj.exeAkncimmh.exeAbmdafpp.exeAcqnnndl.exeBccjdnbi.exeBplhnoej.exeBbmapj32.exeCbajkiof.exeCjmopkla.exeChqoipkk.exeCdjmcpnl.exeDlgnmb32.exeDljkcb32.exeDpgcip32.exeDiphbfdi.exeEjkkfjkj.exeEkjgpm32.exeEcfldoph.exeFheabelm.exeFhgnge32.exeFdnolfon.exeFfmkfifa.exeFdbhge32.exeGmpjagfa.exeGmbfggdo.exeGfmgelil.exeHebdfind.exeHnmeen32.exeIphecepe.exeIpjahd32.exeIfffkncm.exeJbpdeogo.exeJniefm32.exeJnkakl32.exeJgfcja32.exeKlehgh32.exeKhlili32.exeKfpifm32.exeKllnhg32.exeKgfoie32.exeLqqpgj32.exeLneaqn32.exeLjkaeo32.exeLgoboc32.exeLqhfhigj.exeMmogmjmn.exeMfglep32.exeMpopnejo.exeMihdgkpp.exeMgmahg32.exeMhonngce.exeNagbgl32.exeNmnclmoj.exeNiedqnen.exeNigafnck.exeNbpeoc32.exeNpdfhhhe.exeOlkfmi32.exeObgkpb32.exeOhcdhi32.exeOdjdmjgo.exeOkdmjdol.exeOijjka32.exePkifdd32.exepid process 2116 Qqdbiopj.exe 2912 Akncimmh.exe 2688 Abmdafpp.exe 2936 Acqnnndl.exe 2468 Bccjdnbi.exe 2836 Bplhnoej.exe 1052 Bbmapj32.exe 1748 Cbajkiof.exe 2484 Cjmopkla.exe 2860 Chqoipkk.exe 1796 Cdjmcpnl.exe 2248 Dlgnmb32.exe 1368 Dljkcb32.exe 1696 Dpgcip32.exe 2320 Diphbfdi.exe 336 Ejkkfjkj.exe 2300 Ekjgpm32.exe 2372 Ecfldoph.exe 1120 Fheabelm.exe 240 Fhgnge32.exe 1604 Fdnolfon.exe 1972 Ffmkfifa.exe 2100 Fdbhge32.exe 2968 Gmpjagfa.exe 2324 Gmbfggdo.exe 2336 Gfmgelil.exe 2344 Hebdfind.exe 1640 Hnmeen32.exe 2652 Iphecepe.exe 2432 Ipjahd32.exe 2480 Ifffkncm.exe 2888 Jbpdeogo.exe 1060 Jniefm32.exe 3016 Jnkakl32.exe 1180 Jgfcja32.exe 888 Klehgh32.exe 2716 Khlili32.exe 1044 Kfpifm32.exe 2960 Kllnhg32.exe 1444 Kgfoie32.exe 1780 Lqqpgj32.exe 876 Lneaqn32.exe 2276 Ljkaeo32.exe 2948 Lgoboc32.exe 1936 Lqhfhigj.exe 1828 Mmogmjmn.exe 2056 Mfglep32.exe 1296 Mpopnejo.exe 1892 Mihdgkpp.exe 2900 Mgmahg32.exe 2140 Mhonngce.exe 1596 Nagbgl32.exe 1776 Nmnclmoj.exe 2940 Niedqnen.exe 2632 Nigafnck.exe 2676 Nbpeoc32.exe 2348 Npdfhhhe.exe 2012 Olkfmi32.exe 836 Obgkpb32.exe 568 Ohcdhi32.exe 956 Odjdmjgo.exe 1068 Okdmjdol.exe 1428 Oijjka32.exe 948 Pkifdd32.exe -
Loads dropped DLL 64 IoCs
Processes:
017467335df194176bc1b39851b55970_NeikiAnalytics.exeQqdbiopj.exeAkncimmh.exeAbmdafpp.exeAcqnnndl.exeBccjdnbi.exeBplhnoej.exeBbmapj32.exeCbajkiof.exeCjmopkla.exeChqoipkk.exeCdjmcpnl.exeDlgnmb32.exeDljkcb32.exeDpgcip32.exeDiphbfdi.exeEjkkfjkj.exeEkjgpm32.exeEcfldoph.exeFheabelm.exeFhgnge32.exeFdnolfon.exeFfmkfifa.exeFdbhge32.exeGmpjagfa.exeGmbfggdo.exeGfmgelil.exeHebdfind.exeHnmeen32.exeIphecepe.exeIpjahd32.exeIfffkncm.exepid process 1612 017467335df194176bc1b39851b55970_NeikiAnalytics.exe 1612 017467335df194176bc1b39851b55970_NeikiAnalytics.exe 2116 Qqdbiopj.exe 2116 Qqdbiopj.exe 2912 Akncimmh.exe 2912 Akncimmh.exe 2688 Abmdafpp.exe 2688 Abmdafpp.exe 2936 Acqnnndl.exe 2936 Acqnnndl.exe 2468 Bccjdnbi.exe 2468 Bccjdnbi.exe 2836 Bplhnoej.exe 2836 Bplhnoej.exe 1052 Bbmapj32.exe 1052 Bbmapj32.exe 1748 Cbajkiof.exe 1748 Cbajkiof.exe 2484 Cjmopkla.exe 2484 Cjmopkla.exe 2860 Chqoipkk.exe 2860 Chqoipkk.exe 1796 Cdjmcpnl.exe 1796 Cdjmcpnl.exe 2248 Dlgnmb32.exe 2248 Dlgnmb32.exe 1368 Dljkcb32.exe 1368 Dljkcb32.exe 1696 Dpgcip32.exe 1696 Dpgcip32.exe 2320 Diphbfdi.exe 2320 Diphbfdi.exe 336 Ejkkfjkj.exe 336 Ejkkfjkj.exe 2300 Ekjgpm32.exe 2300 Ekjgpm32.exe 2372 Ecfldoph.exe 2372 Ecfldoph.exe 1120 Fheabelm.exe 1120 Fheabelm.exe 240 Fhgnge32.exe 240 Fhgnge32.exe 1604 Fdnolfon.exe 1604 Fdnolfon.exe 1972 Ffmkfifa.exe 1972 Ffmkfifa.exe 2100 Fdbhge32.exe 2100 Fdbhge32.exe 2968 Gmpjagfa.exe 2968 Gmpjagfa.exe 2324 Gmbfggdo.exe 2324 Gmbfggdo.exe 2336 Gfmgelil.exe 2336 Gfmgelil.exe 2344 Hebdfind.exe 2344 Hebdfind.exe 1640 Hnmeen32.exe 1640 Hnmeen32.exe 2652 Iphecepe.exe 2652 Iphecepe.exe 2432 Ipjahd32.exe 2432 Ipjahd32.exe 2480 Ifffkncm.exe 2480 Ifffkncm.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ojglhm32.exeAeoijidl.exeCmfkfa32.exePohhna32.exeLgkkmm32.exeOiafee32.exeHpkompgg.exeJplfkjbd.exeKgfoie32.exeEijdkcgn.exeBhbkpgbf.exeJeqopcld.exeMblbnj32.exeBbmapj32.exeEcfldoph.exeNbpeoc32.exeGncldi32.exeIbkmchbh.exePhfoee32.exeJgfcja32.exeLqhfhigj.exeQfljkp32.exeGjgiidkl.exeDgnjqe32.exeEpbbkf32.exeGmbfggdo.exePdakniag.exeLldmleam.exeMomfan32.exeCdmepgce.exeEbnabb32.exeAkncimmh.exeBiaign32.exeEhpalp32.exeFmkilb32.exeHcldhnkk.exeBfdenafn.exeDncibp32.exeGneijien.exeMmbmeifk.exeCepipm32.exeHbggif32.exeFdbhge32.exeMihdgkpp.exeDmojkc32.exeFhdjgoha.exeKbmome32.exeAnogijnb.exeDifqji32.exeDeakjjbk.exeEimcjl32.exeLgoboc32.exeEcploipa.exeIjnkifgp.exeKlcgpkhh.exeKkjpggkn.exeCdjmcpnl.exeJnkakl32.exeGkpfmnlb.exeFdpgph32.exedescription ioc process File created C:\Windows\SysWOW64\Mkhngh32.dll Ojglhm32.exe File opened for modification C:\Windows\SysWOW64\Agpeaa32.exe Aeoijidl.exe File opened for modification C:\Windows\SysWOW64\Ccpcckck.exe Cmfkfa32.exe File created C:\Windows\SysWOW64\Pebpkk32.exe Pohhna32.exe File created C:\Windows\SysWOW64\Laqojfli.exe Lgkkmm32.exe File created C:\Windows\SysWOW64\Ammbof32.dll Oiafee32.exe File opened for modification C:\Windows\SysWOW64\Hgbfnngi.exe Hpkompgg.exe File opened for modification C:\Windows\SysWOW64\Keioca32.exe Jplfkjbd.exe File opened for modification C:\Windows\SysWOW64\Lqqpgj32.exe Kgfoie32.exe File created C:\Windows\SysWOW64\Ecbhdi32.exe Eijdkcgn.exe File opened for modification C:\Windows\SysWOW64\Bnochnpm.exe Bhbkpgbf.exe File created C:\Windows\SysWOW64\Jlkglm32.exe Jeqopcld.exe File opened for modification C:\Windows\SysWOW64\Mhfjjdjf.exe Mblbnj32.exe File created C:\Windows\SysWOW64\Knpkmqgb.dll Bbmapj32.exe File created C:\Windows\SysWOW64\Llmidedh.dll Ecfldoph.exe File created C:\Windows\SysWOW64\Npdfhhhe.exe Nbpeoc32.exe File created C:\Windows\SysWOW64\Giipab32.exe Gncldi32.exe File created C:\Windows\SysWOW64\Imaapa32.exe Ibkmchbh.exe File created C:\Windows\SysWOW64\Dokmejcg.dll Lgkkmm32.exe File opened for modification C:\Windows\SysWOW64\Paocnkph.exe Phfoee32.exe File created C:\Windows\SysWOW64\Qdckaqog.dll Jgfcja32.exe File opened for modification C:\Windows\SysWOW64\Mmogmjmn.exe Lqhfhigj.exe File opened for modification C:\Windows\SysWOW64\Qqfkln32.exe Qfljkp32.exe File created C:\Windows\SysWOW64\Godaakic.exe Gjgiidkl.exe File opened for modification C:\Windows\SysWOW64\Dnhbmpkn.exe Dgnjqe32.exe File created C:\Windows\SysWOW64\Kqdodila.dll Epbbkf32.exe File created C:\Windows\SysWOW64\Cbpjfb32.dll Gmbfggdo.exe File created C:\Windows\SysWOW64\Pgbdodnh.exe Pdakniag.exe File opened for modification C:\Windows\SysWOW64\Lbafdlod.exe Lldmleam.exe File created C:\Windows\SysWOW64\Gamnel32.dll Momfan32.exe File opened for modification C:\Windows\SysWOW64\Jlkglm32.exe Jeqopcld.exe File created C:\Windows\SysWOW64\Cjjnhnbl.exe Cdmepgce.exe File created C:\Windows\SysWOW64\Ojmklbll.dll Ebnabb32.exe File created C:\Windows\SysWOW64\Pdddkijo.dll Akncimmh.exe File opened for modification C:\Windows\SysWOW64\Bammlq32.exe Biaign32.exe File created C:\Windows\SysWOW64\Cafngogd.dll Ehpalp32.exe File created C:\Windows\SysWOW64\Kmimme32.dll Fmkilb32.exe File opened for modification C:\Windows\SysWOW64\Hfjpdjjo.exe Hcldhnkk.exe File created C:\Windows\SysWOW64\Bqijljfd.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Alelkg32.dll Dncibp32.exe File created C:\Windows\SysWOW64\Kkfmcc32.dll Gneijien.exe File created C:\Windows\SysWOW64\Mggabaea.exe Mmbmeifk.exe File created C:\Windows\SysWOW64\Cpfmmf32.exe Cepipm32.exe File opened for modification C:\Windows\SysWOW64\Hiqoeplo.exe Hbggif32.exe File opened for modification C:\Windows\SysWOW64\Gmpjagfa.exe Fdbhge32.exe File opened for modification C:\Windows\SysWOW64\Mgmahg32.exe Mihdgkpp.exe File opened for modification C:\Windows\SysWOW64\Edibhmml.exe Dmojkc32.exe File opened for modification C:\Windows\SysWOW64\Fnacpffh.exe Fhdjgoha.exe File created C:\Windows\SysWOW64\Kdnkdmec.exe Kbmome32.exe File opened for modification C:\Windows\SysWOW64\Aclpaali.exe Anogijnb.exe File opened for modification C:\Windows\SysWOW64\Dncibp32.exe Difqji32.exe File created C:\Windows\SysWOW64\Dfcgbb32.exe Deakjjbk.exe File created C:\Windows\SysWOW64\Fkgfqf32.dll Eimcjl32.exe File opened for modification C:\Windows\SysWOW64\Lqhfhigj.exe Lgoboc32.exe File created C:\Windows\SysWOW64\Eijdkcgn.exe Ecploipa.exe File opened for modification C:\Windows\SysWOW64\Eoiiijcc.exe Ehpalp32.exe File opened for modification C:\Windows\SysWOW64\Iahceq32.exe Ijnkifgp.exe File created C:\Windows\SysWOW64\Kbmome32.exe Klcgpkhh.exe File opened for modification C:\Windows\SysWOW64\Kbmome32.exe Klcgpkhh.exe File created C:\Windows\SysWOW64\Kadica32.exe Kkjpggkn.exe File created C:\Windows\SysWOW64\Dlgnmb32.exe Cdjmcpnl.exe File created C:\Windows\SysWOW64\Jgfcja32.exe Jnkakl32.exe File opened for modification C:\Windows\SysWOW64\Gdhkfd32.exe Gkpfmnlb.exe File created C:\Windows\SysWOW64\Jcohdeco.dll Fdpgph32.exe -
Modifies registry class 64 IoCs
Processes:
Kenoifpb.exeLcdhgn32.exeNkkmgncb.exeNjeccjcd.exeJgfcja32.exeHjofdi32.exeHfjpdjjo.exePebpkk32.exeOiafee32.exeCehhdkjf.exeOmpefj32.exeHbggif32.exeIfpcchai.exeLgingm32.exeBammlq32.exeFmkilb32.exeNmkplgnq.exeNncbdomg.exeAkfkbd32.exeCgidfcdk.exeJplfkjbd.exeFkecij32.exeGnaooi32.exeLbcbjlmb.exePljlbf32.exeMokilo32.exeEemnnn32.exePkifdd32.exeNnmlcp32.exeCgaaah32.exeGoiongbc.exeChqoipkk.exeLbafdlod.exeAdnpkjde.exeKkpqlm32.exeHnbaif32.exeAgihgp32.exeFppaej32.exeKbhbai32.exePgbdodnh.exeHqfaldbo.exeBlkjkflb.exeLneaqn32.exeOdjdmjgo.exeCkhdggom.exeKgnkci32.exeJefbnacn.exeCpkmcldj.exeAkpkmo32.exeCpfdhl32.exeQbnphngk.exeAclpaali.exeJmfcop32.exeAnbkipok.exeJlkglm32.exeKpfplo32.exeDifqji32.exeNggggoda.exeFkcilc32.exeOijjka32.exeFgnadkic.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenoifpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjgiobf.dll" Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkkmgncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njeccjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgfcja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjofdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbeeddm.dll" Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammbof32.dll" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klncqmjg.dll" Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlcjk32.dll" Ifpcchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjikp32.dll" Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfdfdee.dll" Bammlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmkilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmkplgnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhbje32.dll" Cgidfcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplfkjbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfplfp.dll" Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" Pljlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mokilo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgidfcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll" Nnmlcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgaaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goiongbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chqoipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbafdlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkpqlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjhg32.dll" Agihgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fppaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqfaldbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbccb32.dll" Blkjkflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll" Fppaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll" Ckhdggom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpkmcldj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akpkmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfdhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbnphngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aclpaali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll" Anbkipok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkglm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfenggg.dll" Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oijjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgnadkic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
017467335df194176bc1b39851b55970_NeikiAnalytics.exeQqdbiopj.exeAkncimmh.exeAbmdafpp.exeAcqnnndl.exeBccjdnbi.exeBplhnoej.exeBbmapj32.exeCbajkiof.exeCjmopkla.exeChqoipkk.exeCdjmcpnl.exeDlgnmb32.exeDljkcb32.exeDpgcip32.exeDiphbfdi.exedescription pid process target process PID 1612 wrote to memory of 2116 1612 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Qqdbiopj.exe PID 1612 wrote to memory of 2116 1612 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Qqdbiopj.exe PID 1612 wrote to memory of 2116 1612 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Qqdbiopj.exe PID 1612 wrote to memory of 2116 1612 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Qqdbiopj.exe PID 2116 wrote to memory of 2912 2116 Qqdbiopj.exe Akncimmh.exe PID 2116 wrote to memory of 2912 2116 Qqdbiopj.exe Akncimmh.exe PID 2116 wrote to memory of 2912 2116 Qqdbiopj.exe Akncimmh.exe PID 2116 wrote to memory of 2912 2116 Qqdbiopj.exe Akncimmh.exe PID 2912 wrote to memory of 2688 2912 Akncimmh.exe Abmdafpp.exe PID 2912 wrote to memory of 2688 2912 Akncimmh.exe Abmdafpp.exe PID 2912 wrote to memory of 2688 2912 Akncimmh.exe Abmdafpp.exe PID 2912 wrote to memory of 2688 2912 Akncimmh.exe Abmdafpp.exe PID 2688 wrote to memory of 2936 2688 Abmdafpp.exe Acqnnndl.exe PID 2688 wrote to memory of 2936 2688 Abmdafpp.exe Acqnnndl.exe PID 2688 wrote to memory of 2936 2688 Abmdafpp.exe Acqnnndl.exe PID 2688 wrote to memory of 2936 2688 Abmdafpp.exe Acqnnndl.exe PID 2936 wrote to memory of 2468 2936 Acqnnndl.exe Bccjdnbi.exe PID 2936 wrote to memory of 2468 2936 Acqnnndl.exe Bccjdnbi.exe PID 2936 wrote to memory of 2468 2936 Acqnnndl.exe Bccjdnbi.exe PID 2936 wrote to memory of 2468 2936 Acqnnndl.exe Bccjdnbi.exe PID 2468 wrote to memory of 2836 2468 Bccjdnbi.exe Bplhnoej.exe PID 2468 wrote to memory of 2836 2468 Bccjdnbi.exe Bplhnoej.exe PID 2468 wrote to memory of 2836 2468 Bccjdnbi.exe Bplhnoej.exe PID 2468 wrote to memory of 2836 2468 Bccjdnbi.exe Bplhnoej.exe PID 2836 wrote to memory of 1052 2836 Bplhnoej.exe Bbmapj32.exe PID 2836 wrote to memory of 1052 2836 Bplhnoej.exe Bbmapj32.exe PID 2836 wrote to memory of 1052 2836 Bplhnoej.exe Bbmapj32.exe PID 2836 wrote to memory of 1052 2836 Bplhnoej.exe Bbmapj32.exe PID 1052 wrote to memory of 1748 1052 Bbmapj32.exe Cbajkiof.exe PID 1052 wrote to memory of 1748 1052 Bbmapj32.exe Cbajkiof.exe PID 1052 wrote to memory of 1748 1052 Bbmapj32.exe Cbajkiof.exe PID 1052 wrote to memory of 1748 1052 Bbmapj32.exe Cbajkiof.exe PID 1748 wrote to memory of 2484 1748 Cbajkiof.exe Cjmopkla.exe PID 1748 wrote to memory of 2484 1748 Cbajkiof.exe Cjmopkla.exe PID 1748 wrote to memory of 2484 1748 Cbajkiof.exe Cjmopkla.exe PID 1748 wrote to memory of 2484 1748 Cbajkiof.exe Cjmopkla.exe PID 2484 wrote to memory of 2860 2484 Cjmopkla.exe Chqoipkk.exe PID 2484 wrote to memory of 2860 2484 Cjmopkla.exe Chqoipkk.exe PID 2484 wrote to memory of 2860 2484 Cjmopkla.exe Chqoipkk.exe PID 2484 wrote to memory of 2860 2484 Cjmopkla.exe Chqoipkk.exe PID 2860 wrote to memory of 1796 2860 Chqoipkk.exe Cdjmcpnl.exe PID 2860 wrote to memory of 1796 2860 Chqoipkk.exe Cdjmcpnl.exe PID 2860 wrote to memory of 1796 2860 Chqoipkk.exe Cdjmcpnl.exe PID 2860 wrote to memory of 1796 2860 Chqoipkk.exe Cdjmcpnl.exe PID 1796 wrote to memory of 2248 1796 Cdjmcpnl.exe Dlgnmb32.exe PID 1796 wrote to memory of 2248 1796 Cdjmcpnl.exe Dlgnmb32.exe PID 1796 wrote to memory of 2248 1796 Cdjmcpnl.exe Dlgnmb32.exe PID 1796 wrote to memory of 2248 1796 Cdjmcpnl.exe Dlgnmb32.exe PID 2248 wrote to memory of 1368 2248 Dlgnmb32.exe Dljkcb32.exe PID 2248 wrote to memory of 1368 2248 Dlgnmb32.exe Dljkcb32.exe PID 2248 wrote to memory of 1368 2248 Dlgnmb32.exe Dljkcb32.exe PID 2248 wrote to memory of 1368 2248 Dlgnmb32.exe Dljkcb32.exe PID 1368 wrote to memory of 1696 1368 Dljkcb32.exe Dpgcip32.exe PID 1368 wrote to memory of 1696 1368 Dljkcb32.exe Dpgcip32.exe PID 1368 wrote to memory of 1696 1368 Dljkcb32.exe Dpgcip32.exe PID 1368 wrote to memory of 1696 1368 Dljkcb32.exe Dpgcip32.exe PID 1696 wrote to memory of 2320 1696 Dpgcip32.exe Diphbfdi.exe PID 1696 wrote to memory of 2320 1696 Dpgcip32.exe Diphbfdi.exe PID 1696 wrote to memory of 2320 1696 Dpgcip32.exe Diphbfdi.exe PID 1696 wrote to memory of 2320 1696 Dpgcip32.exe Diphbfdi.exe PID 2320 wrote to memory of 336 2320 Diphbfdi.exe Ejkkfjkj.exe PID 2320 wrote to memory of 336 2320 Diphbfdi.exe Ejkkfjkj.exe PID 2320 wrote to memory of 336 2320 Diphbfdi.exe Ejkkfjkj.exe PID 2320 wrote to memory of 336 2320 Diphbfdi.exe Ejkkfjkj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\017467335df194176bc1b39851b55970_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\017467335df194176bc1b39851b55970_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:240 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe34⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe37⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe38⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe39⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe42⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe44⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe48⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe49⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe51⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe52⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe54⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe55⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe58⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe59⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe61⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe63⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe66⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe67⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe68⤵PID:3008
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe69⤵PID:1528
-
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe70⤵PID:924
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe71⤵PID:1840
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe72⤵PID:2988
-
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe74⤵PID:2396
-
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe75⤵PID:2916
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe76⤵PID:2096
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe77⤵PID:2068
-
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe78⤵PID:2172
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe79⤵PID:2740
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe81⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe83⤵PID:1632
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe84⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe85⤵PID:2108
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe86⤵
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe87⤵PID:1076
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe88⤵PID:2992
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe89⤵PID:2196
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe90⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe91⤵PID:2368
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe92⤵PID:860
-
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe93⤵PID:2980
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe94⤵PID:2624
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe95⤵PID:2628
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe96⤵PID:2704
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe97⤵PID:572
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe98⤵PID:2708
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe99⤵PID:1980
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe100⤵PID:808
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe101⤵PID:944
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe102⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe103⤵PID:1260
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe104⤵PID:2040
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe105⤵PID:1348
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe106⤵PID:1608
-
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe107⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe108⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:484 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe110⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe111⤵PID:2840
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe112⤵PID:824
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe113⤵PID:2832
-
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe114⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe115⤵PID:468
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe116⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe119⤵PID:2768
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe120⤵
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe122⤵PID:2476
-
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe123⤵
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe124⤵PID:1876
-
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe126⤵PID:2444
-
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe127⤵PID:1700
-
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe129⤵PID:2024
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe130⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe131⤵PID:1668
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe132⤵PID:2864
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe133⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe134⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe135⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe136⤵PID:1380
-
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2328 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe138⤵PID:768
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe139⤵PID:2520
-
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe140⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe141⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe143⤵PID:1676
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe144⤵PID:1512
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe146⤵PID:2404
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe148⤵PID:1712
-
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe149⤵PID:1584
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe150⤵PID:2220
-
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:400 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe152⤵PID:2512
-
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe153⤵PID:1820
-
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe155⤵PID:1680
-
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe156⤵PID:1084
-
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe157⤵PID:2728
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe158⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe159⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe162⤵PID:2252
-
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe163⤵PID:2124
-
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe164⤵PID:3056
-
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe165⤵PID:2496
-
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe166⤵PID:2180
-
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe167⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe168⤵PID:2128
-
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe169⤵PID:520
-
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe171⤵PID:2544
-
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe173⤵PID:2920
-
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe174⤵PID:3028
-
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe175⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe176⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe178⤵PID:276
-
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe180⤵PID:2964
-
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe181⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe182⤵PID:812
-
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe183⤵PID:1336
-
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe184⤵PID:1320
-
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe185⤵PID:2420
-
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe186⤵PID:2664
-
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe187⤵PID:2756
-
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe188⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe189⤵PID:2816
-
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe191⤵PID:2736
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe192⤵PID:2540
-
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe193⤵PID:2224
-
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe194⤵PID:1644
-
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe195⤵
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe196⤵
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe197⤵
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3220 -
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe199⤵PID:3260
-
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3300 -
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe201⤵PID:3340
-
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380 -
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3420 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe204⤵PID:3460
-
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe205⤵PID:3500
-
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe206⤵PID:3540
-
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe207⤵PID:3580
-
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3620 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe209⤵PID:3660
-
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe210⤵PID:3700
-
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe211⤵PID:3740
-
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe212⤵PID:3780
-
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe213⤵PID:3824
-
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe214⤵
- Modifies registry class
PID:3864 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe215⤵PID:3904
-
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe217⤵PID:3984
-
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe218⤵
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe219⤵PID:4064
-
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe220⤵PID:2648
-
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe221⤵PID:1728
-
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe222⤵PID:3160
-
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe223⤵PID:3204
-
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe224⤵
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe225⤵PID:3312
-
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe226⤵PID:3368
-
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe227⤵PID:3200
-
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe228⤵PID:2352
-
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe229⤵PID:3280
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe230⤵PID:3552
-
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe231⤵PID:3600
-
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe232⤵
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe233⤵
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe234⤵PID:3752
-
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe235⤵
- Modifies registry class
PID:3812 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe236⤵PID:3856
-
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe237⤵PID:3916
-
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe238⤵PID:3972
-
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe239⤵PID:4032
-
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe240⤵PID:4088
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe241⤵PID:3124
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe242⤵PID:3760