Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 00:49
Behavioral task
behavioral1
Sample
167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe
-
Size
135KB
-
MD5
167077d6890036ffe3ad9985661fd030
-
SHA1
20d790a39f763c3a76abae7aab1d276d744df0b1
-
SHA256
6960f8508b15f8ae4092c3390382580212d998bc9d6be1285562ff127784465c
-
SHA512
b8f706057994ee8514accc7c0a26a45add54a9ce43acfe553282eccda629e5e8f48b86452e2e667d8f13c81fb73dfd6b065c4a93859022e4a720e211159f9960
-
SSDEEP
1536:S+DsWYxqNfUPJQGpOYZSM2TflYBG3QYD3Q55+O6iE1G9FGP7YfsuxTa0nUoiv:1hUPdArTfK8Qr5+ViKGe7Yfs0a0Uoi
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Edlfhc32.exeHpnkbpdd.exeHohkmj32.exeQcachc32.exeGqodqodl.exeIhfjognl.exeCpkmcldj.exeCehfkb32.exeMjaddn32.exeNefdpjkl.exeDkdmfe32.exeEopphehb.exeBaojapfj.exeIichjc32.exeOpnpimdf.exePmgbao32.exeElajgpmj.exeGdmdacnn.exeEanldqgf.exeDahkok32.exeBidlgdlk.exeOjglhm32.exeIahceq32.exeBbllnlfd.exeFihfnp32.exeHfjbmb32.exeIfolhann.exeJfcabd32.exeNmhmlbkk.exeOnlahm32.exeEeojcmfi.exeMacilmnk.exeIdkpganf.exeApgagg32.exeBfoeil32.exeDpegcq32.exeDjgkii32.exeLfhhjklc.exeEhlmljkm.exeLaleof32.exeLpcoeb32.exeJkgcab32.exeGildahhp.exeOmcifpnp.exeHqfaldbo.exeBgllgedi.exeOifdbb32.exePcljmdmj.exeDbaice32.exeJeqopcld.exeEijdkcgn.exeBceibfgj.exeEgmabg32.exePmmneg32.exeDeondj32.exeGbdhjm32.exeMjnjjbbh.exeAkiobk32.exeJlnklcej.exeIlcalnii.exeDgknkf32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edlfhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnkbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcachc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqodqodl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfjognl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehfkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdmfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopphehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opnpimdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmgbao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elajgpmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmdacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eanldqgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojglhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahceq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihfnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjbmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifolhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhmlbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onlahm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihfjognl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macilmnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apgagg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpegcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgkii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhhjklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmljkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gildahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqfaldbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgllgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifdbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbaice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeqopcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijdkcgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmabg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmneg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deondj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akiobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgknkf32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Hlffdh32.exe family_berbew \Windows\SysWOW64\Ibehla32.exe family_berbew \Windows\SysWOW64\Idiaii32.exe family_berbew \Windows\SysWOW64\Ihfjognl.exe family_berbew \Windows\SysWOW64\Jkgcab32.exe family_berbew C:\Windows\SysWOW64\Jgncfcaa.exe family_berbew behavioral1/memory/2368-78-0x0000000000230000-0x0000000000272000-memory.dmp family_berbew C:\Windows\SysWOW64\Joihjfnl.exe family_berbew C:\Windows\SysWOW64\Jlmicj32.exe family_berbew \Windows\SysWOW64\Jajala32.exe family_berbew behavioral1/memory/2352-109-0x00000000002B0000-0x00000000002F2000-memory.dmp family_berbew \Windows\SysWOW64\Kbokgpgg.exe family_berbew behavioral1/memory/904-133-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew \Windows\SysWOW64\Khiccj32.exe family_berbew C:\Windows\SysWOW64\Kdpcikdi.exe family_berbew \Windows\SysWOW64\Kgpmjf32.exe family_berbew \Windows\SysWOW64\Kqiaclhj.exe family_berbew C:\Windows\SysWOW64\Ljcbaamh.exe family_berbew \Windows\SysWOW64\Lmdkcl32.exe family_berbew behavioral1/memory/2588-211-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Leopgo32.exe family_berbew C:\Windows\SysWOW64\Lgpiij32.exe family_berbew C:\Windows\SysWOW64\Ledibnco.exe family_berbew C:\Windows\SysWOW64\Mbhjlbbh.exe family_berbew C:\Windows\SysWOW64\Mmakmp32.exe family_berbew C:\Windows\SysWOW64\Mmdgbp32.exe family_berbew C:\Windows\SysWOW64\Mpdqdkie.exe family_berbew C:\Windows\SysWOW64\Mlkail32.exe family_berbew C:\Windows\SysWOW64\Nlnnnk32.exe family_berbew C:\Windows\SysWOW64\Nianhplq.exe family_berbew behavioral1/memory/2836-323-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Nplfdj32.exe family_berbew behavioral1/memory/2836-321-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Ndnlnm32.exe family_berbew C:\Windows\SysWOW64\Nmfqgbmm.exe family_berbew C:\Windows\SysWOW64\Nmhmlbkk.exe family_berbew C:\Windows\SysWOW64\Opifnm32.exe family_berbew behavioral1/memory/3064-372-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Olpgconp.exe family_berbew C:\Windows\SysWOW64\Opnpimdf.exe family_berbew C:\Windows\SysWOW64\Oifdbb32.exe family_berbew C:\Windows\SysWOW64\Ocohkh32.exe family_berbew C:\Windows\SysWOW64\Pkljdj32.exe family_berbew behavioral1/memory/1428-438-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Aibcba32.exe family_berbew C:\Windows\SysWOW64\Aboaff32.exe family_berbew C:\Windows\SysWOW64\Bnfblgca.exe family_berbew behavioral1/memory/1704-461-0x0000000000450000-0x0000000000492000-memory.dmp family_berbew behavioral1/memory/1704-460-0x0000000000450000-0x0000000000492000-memory.dmp family_berbew C:\Windows\SysWOW64\Bgqcjlhp.exe family_berbew C:\Windows\SysWOW64\Bibpad32.exe family_berbew C:\Windows\SysWOW64\Bidlgdlk.exe family_berbew C:\Windows\SysWOW64\Bmbemb32.exe family_berbew behavioral1/memory/2020-499-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/memory/2020-498-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Bpqain32.exe family_berbew C:\Windows\SysWOW64\Cadjgf32.exe family_berbew C:\Windows\SysWOW64\Cohkpj32.exe family_berbew C:\Windows\SysWOW64\Chqoipkk.exe family_berbew C:\Windows\SysWOW64\Cmmhaf32.exe family_berbew C:\Windows\SysWOW64\Comdkipe.exe family_berbew C:\Windows\SysWOW64\Cheido32.exe family_berbew C:\Windows\SysWOW64\Cmbalfem.exe family_berbew C:\Windows\SysWOW64\Dbojdmcd.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Hlffdh32.exeIbehla32.exeIdiaii32.exeIhfjognl.exeJkgcab32.exeJgncfcaa.exeJoihjfnl.exeJlmicj32.exeJajala32.exeKbokgpgg.exeKhiccj32.exeKdpcikdi.exeKgpmjf32.exeKqiaclhj.exeLjcbaamh.exeLmdkcl32.exeLeopgo32.exeLgpiij32.exeLedibnco.exeMbhjlbbh.exeMmakmp32.exeMmdgbp32.exeMpdqdkie.exeMlkail32.exeNlnnnk32.exeNianhplq.exeNplfdj32.exeNdnlnm32.exeNmfqgbmm.exeNmhmlbkk.exeOpifnm32.exeOlpgconp.exeOpnpimdf.exeOifdbb32.exeOcohkh32.exePkljdj32.exeAibcba32.exeAboaff32.exeBnfblgca.exeBgqcjlhp.exeBibpad32.exeBidlgdlk.exeBmbemb32.exeBpqain32.exeCadjgf32.exeCohkpj32.exeChqoipkk.exeCmmhaf32.exeComdkipe.exeCheido32.exeCmbalfem.exeDbojdmcd.exeDpcjnabn.exeDbafjlaa.exeDpegcq32.exeDgoopkgh.exeDaipqhdg.exeDhbhmb32.exeDakmfh32.exeDdiibc32.exeEkcaonhe.exeEdlfhc32.exeEoajel32.exeEdnbncmb.exepid process 1896 Hlffdh32.exe 2768 Ibehla32.exe 2488 Idiaii32.exe 2620 Ihfjognl.exe 2368 Jkgcab32.exe 2352 Jgncfcaa.exe 1856 Joihjfnl.exe 1952 Jlmicj32.exe 904 Jajala32.exe 1488 Kbokgpgg.exe 2300 Khiccj32.exe 1152 Kdpcikdi.exe 1648 Kgpmjf32.exe 884 Kqiaclhj.exe 2588 Ljcbaamh.exe 3020 Lmdkcl32.exe 2644 Leopgo32.exe 1128 Lgpiij32.exe 2996 Ledibnco.exe 1984 Mbhjlbbh.exe 720 Mmakmp32.exe 2984 Mmdgbp32.exe 604 Mpdqdkie.exe 2976 Mlkail32.exe 2836 Nlnnnk32.exe 1464 Nianhplq.exe 2212 Nplfdj32.exe 1492 Ndnlnm32.exe 2680 Nmfqgbmm.exe 3064 Nmhmlbkk.exe 2456 Opifnm32.exe 2464 Olpgconp.exe 1344 Opnpimdf.exe 2856 Oifdbb32.exe 2316 Ocohkh32.exe 1428 Pkljdj32.exe 1424 Aibcba32.exe 1704 Aboaff32.exe 2024 Bnfblgca.exe 1632 Bgqcjlhp.exe 2020 Bibpad32.exe 2432 Bidlgdlk.exe 1592 Bmbemb32.exe 2252 Bpqain32.exe 2576 Cadjgf32.exe 2916 Cohkpj32.exe 2596 Chqoipkk.exe 2512 Cmmhaf32.exe 908 Comdkipe.exe 1668 Cheido32.exe 2260 Cmbalfem.exe 2088 Dbojdmcd.exe 1712 Dpcjnabn.exe 2204 Dbafjlaa.exe 3056 Dpegcq32.exe 2692 Dgoopkgh.exe 2504 Daipqhdg.exe 2776 Dhbhmb32.exe 2376 Dakmfh32.exe 1748 Ddiibc32.exe 1192 Ekcaonhe.exe 1252 Edlfhc32.exe 1616 Eoajel32.exe 1360 Ednbncmb.exe -
Loads dropped DLL 64 IoCs
Processes:
167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exeHlffdh32.exeIbehla32.exeIdiaii32.exeIhfjognl.exeJkgcab32.exeJgncfcaa.exeJoihjfnl.exeJlmicj32.exeJajala32.exeKbokgpgg.exeKhiccj32.exeKdpcikdi.exeKgpmjf32.exeKqiaclhj.exeLjcbaamh.exeLmdkcl32.exeLeopgo32.exeLgpiij32.exeLedibnco.exeMbhjlbbh.exeMmakmp32.exeMmdgbp32.exeMpdqdkie.exeMlkail32.exeNlnnnk32.exeNianhplq.exeNplfdj32.exeNdnlnm32.exeNmfqgbmm.exeNmhmlbkk.exeOpifnm32.exepid process 2820 167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe 2820 167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe 1896 Hlffdh32.exe 1896 Hlffdh32.exe 2768 Ibehla32.exe 2768 Ibehla32.exe 2488 Idiaii32.exe 2488 Idiaii32.exe 2620 Ihfjognl.exe 2620 Ihfjognl.exe 2368 Jkgcab32.exe 2368 Jkgcab32.exe 2352 Jgncfcaa.exe 2352 Jgncfcaa.exe 1856 Joihjfnl.exe 1856 Joihjfnl.exe 1952 Jlmicj32.exe 1952 Jlmicj32.exe 904 Jajala32.exe 904 Jajala32.exe 1488 Kbokgpgg.exe 1488 Kbokgpgg.exe 2300 Khiccj32.exe 2300 Khiccj32.exe 1152 Kdpcikdi.exe 1152 Kdpcikdi.exe 1648 Kgpmjf32.exe 1648 Kgpmjf32.exe 884 Kqiaclhj.exe 884 Kqiaclhj.exe 2588 Ljcbaamh.exe 2588 Ljcbaamh.exe 3020 Lmdkcl32.exe 3020 Lmdkcl32.exe 2644 Leopgo32.exe 2644 Leopgo32.exe 1128 Lgpiij32.exe 1128 Lgpiij32.exe 2996 Ledibnco.exe 2996 Ledibnco.exe 1984 Mbhjlbbh.exe 1984 Mbhjlbbh.exe 720 Mmakmp32.exe 720 Mmakmp32.exe 2984 Mmdgbp32.exe 2984 Mmdgbp32.exe 604 Mpdqdkie.exe 604 Mpdqdkie.exe 2976 Mlkail32.exe 2976 Mlkail32.exe 2836 Nlnnnk32.exe 2836 Nlnnnk32.exe 1464 Nianhplq.exe 1464 Nianhplq.exe 2212 Nplfdj32.exe 2212 Nplfdj32.exe 1492 Ndnlnm32.exe 1492 Ndnlnm32.exe 2680 Nmfqgbmm.exe 2680 Nmfqgbmm.exe 3064 Nmhmlbkk.exe 3064 Nmhmlbkk.exe 2456 Opifnm32.exe 2456 Opifnm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ichmgl32.exeAakjdo32.exeKhnapkjg.exeCmmhaf32.exeMpopnejo.exeAeoijidl.exeBogjaamh.exePepcelel.exeMjaddn32.exeAoagccfn.exeComdkipe.exeIfgpnmom.exeAjpepm32.exeNenakoho.exeDjgkii32.exeDhbhmb32.exeNmfqgbmm.exeOdjdmjgo.exeLddlkg32.exeMcckcbgp.exeQkfocaki.exeNqhepeai.exeJimdcqom.exeOdgamdef.exeGkomjo32.exeQngopb32.exeFcphnm32.exeFfaaoh32.exeFhdmph32.exeEkjgpm32.exeIliebpfc.exePmmneg32.exeAclpaali.exeFmlbjq32.exeFihfnp32.exeGaagcpdl.exeOhagbj32.exeGifclb32.exeCglalbbi.exeCohkpj32.exeBidlgdlk.exeQnebjc32.exeAkiobk32.exeKffldlne.exeOcohkh32.exeEmgioakg.exeAfliclij.exeFggkcl32.exeJbfilffm.exeJjhgbd32.exeDebadpeg.exeFdnjkh32.exeLgpiij32.exeNlfmbibo.exeJgncfcaa.exeLjcbaamh.exeJpepkk32.exeCopjdhib.exeJhdegn32.exeDaplkmbg.exeOagoep32.exeObmnna32.exedescription ioc process File created C:\Windows\SysWOW64\Gahjmjal.dll Ichmgl32.exe File created C:\Windows\SysWOW64\Alqnah32.exe Aakjdo32.exe File opened for modification C:\Windows\SysWOW64\Kmkihbho.exe Khnapkjg.exe File opened for modification C:\Windows\SysWOW64\Comdkipe.exe Cmmhaf32.exe File opened for modification C:\Windows\SysWOW64\Mbnljqic.exe Mpopnejo.exe File created C:\Windows\SysWOW64\Addfkeid.exe Aeoijidl.exe File created C:\Windows\SysWOW64\Lpeeijod.dll Bogjaamh.exe File created C:\Windows\SysWOW64\Pkmlmbcd.exe Pepcelel.exe File opened for modification C:\Windows\SysWOW64\Mcjhmcok.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Gfnafi32.dll Aoagccfn.exe File opened for modification C:\Windows\SysWOW64\Cheido32.exe Comdkipe.exe File opened for modification C:\Windows\SysWOW64\Idkpganf.exe Ifgpnmom.exe File created C:\Windows\SysWOW64\Akabgebj.exe Ajpepm32.exe File created C:\Windows\SysWOW64\Nbbbdcgi.exe Nenakoho.exe File opened for modification C:\Windows\SysWOW64\Ddpobo32.exe Djgkii32.exe File opened for modification C:\Windows\SysWOW64\Dakmfh32.exe Dhbhmb32.exe File created C:\Windows\SysWOW64\Nmhmlbkk.exe Nmfqgbmm.exe File created C:\Windows\SysWOW64\Hopjqipp.dll Odjdmjgo.exe File created C:\Windows\SysWOW64\Jbglcb32.dll Lddlkg32.exe File created C:\Windows\SysWOW64\Nfdddm32.exe Mcckcbgp.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Qkfocaki.exe File opened for modification C:\Windows\SysWOW64\Njpihk32.exe Nqhepeai.exe File opened for modification C:\Windows\SysWOW64\Jmipdo32.exe Jimdcqom.exe File opened for modification C:\Windows\SysWOW64\Oeindm32.exe Odgamdef.exe File created C:\Windows\SysWOW64\Ngfpmcbo.dll Gkomjo32.exe File created C:\Windows\SysWOW64\Ocmbnbgf.dll Qngopb32.exe File created C:\Windows\SysWOW64\Fqdiga32.exe Fcphnm32.exe File created C:\Windows\SysWOW64\Jngafd32.dll Ffaaoh32.exe File created C:\Windows\SysWOW64\Nidjhoea.dll Fhdmph32.exe File created C:\Windows\SysWOW64\Oeajjfgn.dll Ekjgpm32.exe File opened for modification C:\Windows\SysWOW64\Ieajkfmd.exe Iliebpfc.exe File created C:\Windows\SysWOW64\Ppmgfb32.exe Pmmneg32.exe File opened for modification C:\Windows\SysWOW64\Ajehnk32.exe Aclpaali.exe File opened for modification C:\Windows\SysWOW64\Fckhhgcf.exe Fmlbjq32.exe File opened for modification C:\Windows\SysWOW64\Fdnjkh32.exe Fihfnp32.exe File opened for modification C:\Windows\SysWOW64\Hdbpekam.exe Gaagcpdl.exe File created C:\Windows\SysWOW64\Ohcdhi32.exe Ohagbj32.exe File created C:\Windows\SysWOW64\Cfhakqek.dll Gifclb32.exe File created C:\Windows\SysWOW64\Cnejim32.exe Cglalbbi.exe File created C:\Windows\SysWOW64\Chqoipkk.exe Cohkpj32.exe File created C:\Windows\SysWOW64\Camcao32.dll Bidlgdlk.exe File opened for modification C:\Windows\SysWOW64\Qhjfgl32.exe Qnebjc32.exe File opened for modification C:\Windows\SysWOW64\Bfncpcoc.exe Akiobk32.exe File created C:\Windows\SysWOW64\Kpkpadnl.exe Kffldlne.exe File opened for modification C:\Windows\SysWOW64\Pkljdj32.exe Ocohkh32.exe File created C:\Windows\SysWOW64\Ehlmljkm.exe Emgioakg.exe File opened for modification C:\Windows\SysWOW64\Bhkeohhn.exe Afliclij.exe File created C:\Windows\SysWOW64\Fncpef32.exe Fggkcl32.exe File created C:\Windows\SysWOW64\Ikbilijo.dll Jbfilffm.exe File created C:\Windows\SysWOW64\Kainfp32.dll Akiobk32.exe File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe Jjhgbd32.exe File created C:\Windows\SysWOW64\Eimllb32.dll Debadpeg.exe File opened for modification C:\Windows\SysWOW64\Fdpgph32.exe Fdnjkh32.exe File opened for modification C:\Windows\SysWOW64\Ledibnco.exe Lgpiij32.exe File opened for modification C:\Windows\SysWOW64\Nenakoho.exe Nlfmbibo.exe File opened for modification C:\Windows\SysWOW64\Abpcooea.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Joihjfnl.exe Jgncfcaa.exe File opened for modification C:\Windows\SysWOW64\Lmdkcl32.exe Ljcbaamh.exe File created C:\Windows\SysWOW64\Cbdmhnfl.dll Jpepkk32.exe File created C:\Windows\SysWOW64\Pknedeoi.dll Copjdhib.exe File created C:\Windows\SysWOW64\Bnllhjif.dll Jhdegn32.exe File created C:\Windows\SysWOW64\Dbaice32.exe Daplkmbg.exe File opened for modification C:\Windows\SysWOW64\Ohagbj32.exe Oagoep32.exe File created C:\Windows\SysWOW64\Ghfcobil.dll Obmnna32.exe -
Modifies registry class 64 IoCs
Processes:
Lcfbdd32.exeMccbmh32.exeCkhdggom.exeIakino32.exeJmipdo32.exeImnbbi32.exeBjbndpmd.exeGaagcpdl.exeAlqnah32.exeGjojef32.exeBhonjg32.exeCmfmojcb.exeCkpckece.exeMejlalji.exeFkcilc32.exeNbbbdcgi.exeHcgjmo32.exeBgcbhd32.exeEdnbncmb.exeOhcdhi32.exeAjcipc32.exeHjdfjo32.exeAqjdgmgd.exeGdmdacnn.exeHohkmj32.exePkmlmbcd.exeBccmmf32.exeOioipf32.exeQqfkln32.exeEopphehb.exeDbafjlaa.exeMbnljqic.exeDbaice32.exeNbniid32.exeLgpiij32.exeLfhhjklc.exeJijokbfp.exeGmhbkohm.exeComdkipe.exeIoooiack.exeMcckcbgp.exeFeddombd.exeFdpgph32.exeJmdgipkk.exeAibcba32.exeMpmcielb.exeFajbke32.exeQdlggg32.exeApgagg32.exeFmlbjq32.exeFggkcl32.exeOjglhm32.exeFlnlkgjq.exeOjomdoof.exeJgncfcaa.exeEdlfhc32.exeGbdhjm32.exePcghof32.exeLklgbadb.exeDbfbnddq.exePhcpgm32.exeCeeieced.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmladcej.dll" Lcfbdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccbmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll" Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imnbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll" Alqnah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlqmdnof.dll" Bhonjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiegdegb.dll" Mejlalji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfaognh.dll" Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmldop32.dll" Nbbbdcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednbncmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemngplg.dll" Ohcdhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingkfk32.dll" Ajcipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjdfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqjdgmgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdmdacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkmlmbcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klncqmjg.dll" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oioipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenfeoiq.dll" Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eopphehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbafjlaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbnljqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbaice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemjkkbq.dll" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbbbdcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfhhjklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmbdp32.dll" Gmhbkohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hngpchih.dll" Comdkipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcjcekp.dll" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loeccoai.dll" Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmdgipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibcba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpmcielb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgogp32.dll" Fajbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlbjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffhohhi.dll" Flnlkgjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgncfcaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edlfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdhjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcghof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbfbnddq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcpgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceeieced.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exeHlffdh32.exeIbehla32.exeIdiaii32.exeIhfjognl.exeJkgcab32.exeJgncfcaa.exeJoihjfnl.exeJlmicj32.exeJajala32.exeKbokgpgg.exeKhiccj32.exeKdpcikdi.exeKgpmjf32.exeKqiaclhj.exeLjcbaamh.exedescription pid process target process PID 2820 wrote to memory of 1896 2820 167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe Hlffdh32.exe PID 2820 wrote to memory of 1896 2820 167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe Hlffdh32.exe PID 2820 wrote to memory of 1896 2820 167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe Hlffdh32.exe PID 2820 wrote to memory of 1896 2820 167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe Hlffdh32.exe PID 1896 wrote to memory of 2768 1896 Hlffdh32.exe Ibehla32.exe PID 1896 wrote to memory of 2768 1896 Hlffdh32.exe Ibehla32.exe PID 1896 wrote to memory of 2768 1896 Hlffdh32.exe Ibehla32.exe PID 1896 wrote to memory of 2768 1896 Hlffdh32.exe Ibehla32.exe PID 2768 wrote to memory of 2488 2768 Ibehla32.exe Idiaii32.exe PID 2768 wrote to memory of 2488 2768 Ibehla32.exe Idiaii32.exe PID 2768 wrote to memory of 2488 2768 Ibehla32.exe Idiaii32.exe PID 2768 wrote to memory of 2488 2768 Ibehla32.exe Idiaii32.exe PID 2488 wrote to memory of 2620 2488 Idiaii32.exe Ihfjognl.exe PID 2488 wrote to memory of 2620 2488 Idiaii32.exe Ihfjognl.exe PID 2488 wrote to memory of 2620 2488 Idiaii32.exe Ihfjognl.exe PID 2488 wrote to memory of 2620 2488 Idiaii32.exe Ihfjognl.exe PID 2620 wrote to memory of 2368 2620 Ihfjognl.exe Jkgcab32.exe PID 2620 wrote to memory of 2368 2620 Ihfjognl.exe Jkgcab32.exe PID 2620 wrote to memory of 2368 2620 Ihfjognl.exe Jkgcab32.exe PID 2620 wrote to memory of 2368 2620 Ihfjognl.exe Jkgcab32.exe PID 2368 wrote to memory of 2352 2368 Jkgcab32.exe Jgncfcaa.exe PID 2368 wrote to memory of 2352 2368 Jkgcab32.exe Jgncfcaa.exe PID 2368 wrote to memory of 2352 2368 Jkgcab32.exe Jgncfcaa.exe PID 2368 wrote to memory of 2352 2368 Jkgcab32.exe Jgncfcaa.exe PID 2352 wrote to memory of 1856 2352 Jgncfcaa.exe Joihjfnl.exe PID 2352 wrote to memory of 1856 2352 Jgncfcaa.exe Joihjfnl.exe PID 2352 wrote to memory of 1856 2352 Jgncfcaa.exe Joihjfnl.exe PID 2352 wrote to memory of 1856 2352 Jgncfcaa.exe Joihjfnl.exe PID 1856 wrote to memory of 1952 1856 Joihjfnl.exe Jlmicj32.exe PID 1856 wrote to memory of 1952 1856 Joihjfnl.exe Jlmicj32.exe PID 1856 wrote to memory of 1952 1856 Joihjfnl.exe Jlmicj32.exe PID 1856 wrote to memory of 1952 1856 Joihjfnl.exe Jlmicj32.exe PID 1952 wrote to memory of 904 1952 Jlmicj32.exe Jajala32.exe PID 1952 wrote to memory of 904 1952 Jlmicj32.exe Jajala32.exe PID 1952 wrote to memory of 904 1952 Jlmicj32.exe Jajala32.exe PID 1952 wrote to memory of 904 1952 Jlmicj32.exe Jajala32.exe PID 904 wrote to memory of 1488 904 Jajala32.exe Kbokgpgg.exe PID 904 wrote to memory of 1488 904 Jajala32.exe Kbokgpgg.exe PID 904 wrote to memory of 1488 904 Jajala32.exe Kbokgpgg.exe PID 904 wrote to memory of 1488 904 Jajala32.exe Kbokgpgg.exe PID 1488 wrote to memory of 2300 1488 Kbokgpgg.exe Khiccj32.exe PID 1488 wrote to memory of 2300 1488 Kbokgpgg.exe Khiccj32.exe PID 1488 wrote to memory of 2300 1488 Kbokgpgg.exe Khiccj32.exe PID 1488 wrote to memory of 2300 1488 Kbokgpgg.exe Khiccj32.exe PID 2300 wrote to memory of 1152 2300 Khiccj32.exe Kdpcikdi.exe PID 2300 wrote to memory of 1152 2300 Khiccj32.exe Kdpcikdi.exe PID 2300 wrote to memory of 1152 2300 Khiccj32.exe Kdpcikdi.exe PID 2300 wrote to memory of 1152 2300 Khiccj32.exe Kdpcikdi.exe PID 1152 wrote to memory of 1648 1152 Kdpcikdi.exe Kgpmjf32.exe PID 1152 wrote to memory of 1648 1152 Kdpcikdi.exe Kgpmjf32.exe PID 1152 wrote to memory of 1648 1152 Kdpcikdi.exe Kgpmjf32.exe PID 1152 wrote to memory of 1648 1152 Kdpcikdi.exe Kgpmjf32.exe PID 1648 wrote to memory of 884 1648 Kgpmjf32.exe Kqiaclhj.exe PID 1648 wrote to memory of 884 1648 Kgpmjf32.exe Kqiaclhj.exe PID 1648 wrote to memory of 884 1648 Kgpmjf32.exe Kqiaclhj.exe PID 1648 wrote to memory of 884 1648 Kgpmjf32.exe Kqiaclhj.exe PID 884 wrote to memory of 2588 884 Kqiaclhj.exe Ljcbaamh.exe PID 884 wrote to memory of 2588 884 Kqiaclhj.exe Ljcbaamh.exe PID 884 wrote to memory of 2588 884 Kqiaclhj.exe Ljcbaamh.exe PID 884 wrote to memory of 2588 884 Kqiaclhj.exe Ljcbaamh.exe PID 2588 wrote to memory of 3020 2588 Ljcbaamh.exe Lmdkcl32.exe PID 2588 wrote to memory of 3020 2588 Ljcbaamh.exe Lmdkcl32.exe PID 2588 wrote to memory of 3020 2588 Ljcbaamh.exe Lmdkcl32.exe PID 2588 wrote to memory of 3020 2588 Ljcbaamh.exe Lmdkcl32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\167077d6890036ffe3ad9985661fd030_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:720 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe33⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe37⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe39⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe40⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe41⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe42⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe44⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe45⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe46⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe48⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe51⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe52⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe53⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe54⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe57⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe58⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe60⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe61⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe62⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe64⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe66⤵PID:2160
-
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe67⤵PID:2748
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe68⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe69⤵PID:2908
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe70⤵PID:832
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe71⤵PID:3024
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe72⤵PID:2124
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe73⤵PID:292
-
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe74⤵PID:3028
-
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe75⤵PID:2076
-
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe76⤵PID:2840
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe77⤵PID:2868
-
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe78⤵PID:2556
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe79⤵PID:1052
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe80⤵PID:1320
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe81⤵PID:2828
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe82⤵PID:2288
-
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe83⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe84⤵PID:2140
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe85⤵PID:1596
-
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe86⤵PID:1084
-
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe87⤵PID:1572
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe88⤵PID:1980
-
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe91⤵PID:2732
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe92⤵PID:2084
-
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe93⤵PID:2484
-
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe94⤵PID:2436
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe95⤵PID:2036
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe96⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe97⤵PID:576
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe98⤵PID:624
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe99⤵PID:2192
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe100⤵PID:1368
-
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe101⤵PID:1756
-
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe102⤵PID:2648
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe103⤵PID:2656
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe104⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe105⤵
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe106⤵PID:1580
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe107⤵PID:1784
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe108⤵PID:2080
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe109⤵PID:2736
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe110⤵PID:2264
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe111⤵PID:2340
-
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe112⤵PID:2672
-
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe113⤵PID:2800
-
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe114⤵PID:1412
-
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe115⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe116⤵PID:2164
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe117⤵
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe118⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe119⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe120⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe121⤵PID:2424
-
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe122⤵PID:1608
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe124⤵PID:668
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe125⤵PID:1808
-
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe126⤵PID:2012
-
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe127⤵
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe129⤵PID:2676
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe130⤵PID:1700
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe131⤵PID:1392
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe132⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe133⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe134⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe135⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe136⤵PID:1660
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe137⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe138⤵
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe139⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe140⤵PID:2420
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe141⤵
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe142⤵PID:836
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe144⤵PID:584
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe145⤵PID:864
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe146⤵PID:2268
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe148⤵PID:2988
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe149⤵PID:2096
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe150⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe151⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe152⤵PID:1772
-
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe153⤵PID:1288
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe154⤵PID:980
-
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe155⤵PID:1164
-
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe156⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe157⤵PID:2608
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe158⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe159⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe160⤵PID:828
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe161⤵PID:1936
-
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe162⤵PID:2584
-
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe163⤵PID:2652
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe164⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe165⤵PID:1624
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe166⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe167⤵PID:2380
-
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe168⤵PID:2176
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe169⤵PID:768
-
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe170⤵PID:952
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe172⤵PID:1760
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe173⤵PID:2496
-
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe174⤵PID:2452
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe175⤵PID:552
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe176⤵PID:2788
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe177⤵PID:2884
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe178⤵PID:1764
-
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1096 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe180⤵PID:800
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe181⤵PID:1960
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe182⤵PID:328
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe183⤵PID:1536
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe184⤵PID:776
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe185⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe188⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe190⤵PID:2400
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe191⤵PID:1612
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe192⤵PID:936
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:436 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe194⤵PID:2664
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe195⤵PID:812
-
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe196⤵PID:2396
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe198⤵PID:2892
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe199⤵PID:1988
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe200⤵PID:3096
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe201⤵
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe202⤵
- Drops file in System32 directory
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe203⤵PID:3224
-
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe204⤵
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe205⤵PID:3304
-
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe206⤵
- Drops file in System32 directory
PID:3344 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe207⤵PID:3384
-
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe208⤵
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe209⤵PID:3464
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe210⤵PID:3508
-
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe211⤵
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe212⤵PID:3588
-
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe214⤵PID:3668
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe215⤵PID:3708
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3748 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe217⤵PID:3788
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe218⤵
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3868 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe220⤵PID:3908
-
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe221⤵PID:3948
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe222⤵
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe223⤵PID:4028
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe224⤵PID:4072
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe225⤵PID:3088
-
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe226⤵
- Drops file in System32 directory
PID:3132 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3156 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe228⤵PID:3240
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe229⤵PID:3276
-
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe230⤵PID:3352
-
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe231⤵PID:3372
-
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe232⤵PID:3408
-
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3480 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe234⤵PID:3520
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe235⤵PID:3580
-
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe236⤵PID:3624
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe237⤵PID:3684
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe238⤵PID:3756
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe239⤵PID:3780
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe240⤵PID:3836
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe241⤵
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe242⤵PID:3944