Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 01:15
Behavioral task
behavioral1
Sample
1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe
-
Size
374KB
-
MD5
1a77d5ecd2fa27578d658e03657ab7c0
-
SHA1
045165a890734661a8dcd7ad8595494e1c0793fa
-
SHA256
bf00b789eb1689cbd7d62ec2fc02bf0dcaa0d1bd63704de9b807c91a008b2ad1
-
SHA512
ee15df11d3ff406ce950cfe1b1feadb56a24227a6d0ba7fda46b7299d8866d56a54237c74ccdf77d220f9736bd74b136a9375fdf01b3be83d4cf4a8fa41f21a9
-
SSDEEP
6144:XMgx0rCoiOxikZ+Eu6QnFw5+0pU8oStTf3runG/qoxfIkeI1SHkF63lngMBdkw8D:7To/ZE6uidyzwr6AxfLeI1Su63lgMBdQ
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Okchhc32.exeEgoife32.exeLhggmchi.exePchpbded.exeCfgaiaci.exeDjmicm32.exeGeapeg32.exeIqljlb32.exeGdopkn32.exeIncpoe32.exeBafidiio.exeDjklnnaj.exeGgjfnk32.exeAilkjmpo.exeFaokjpfd.exeMkeimlfm.exeObafnlpn.exeJebiaelb.exeQeqbkkej.exeGacpdbej.exeHpmgqnfl.exeGdnghpkq.exeJkonco32.exeNhkbkc32.exeOcomlemo.exeCljcelan.exeKngfih32.exeMmahdggc.exeOdegpj32.exeFocbnj32.exeMihiih32.exeNghphaeo.exeClcflkic.exeDdokpmfo.exeEkelld32.exePnlqnl32.exeAipddi32.exeEjameg32.exeKphimanc.exeKemejc32.exeMppepcfg.exeOgfpbeim.exeEqdajkkb.exeNjiijlbp.exeKjqccigf.exeNkbhgojk.exeBlgpef32.exeJoepio32.exeChcqpmep.exeDqelenlc.exeIdhopq32.exeJcbellac.exeLdidkbpb.exeAbmbhn32.exeEcqqpgli.exeFhlfgppj.exeKeikqhhe.exeCcdlbf32.exeDhjgal32.exeBdooajdc.exeCgmkmecg.exeDookgcij.exeQhmbagfa.exeKblhgk32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okchhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhggmchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djmicm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geapeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqljlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djklnnaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjfnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebiaelb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqbkkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdnghpkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkonco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Focbnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nghphaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekelld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejameg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphimanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joepio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhlfgppj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keikqhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccdlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdooajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kblhgk32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Eafkfb32.exe family_berbew \Windows\SysWOW64\Efcdoipc.exe family_berbew \Windows\SysWOW64\Eplhgn32.exe family_berbew C:\Windows\SysWOW64\Ejameg32.exe family_berbew C:\Windows\SysWOW64\Eidmqdmd.exe family_berbew C:\Windows\SysWOW64\Fekneebh.exe family_berbew C:\Windows\SysWOW64\Fmbefbck.exe family_berbew C:\Windows\SysWOW64\Focbnj32.exe family_berbew C:\Windows\SysWOW64\Fhlfgppj.exe family_berbew C:\Windows\SysWOW64\Fklpik32.exe family_berbew \Windows\SysWOW64\Febcfd32.exe family_berbew \Windows\SysWOW64\Flllcndm.exe family_berbew C:\Windows\SysWOW64\Fmmhjf32.exe family_berbew C:\Windows\SysWOW64\Fdgqgqah.exe family_berbew C:\Windows\SysWOW64\Gkaidjhe.exe family_berbew C:\Windows\SysWOW64\Gheimogo.exe family_berbew C:\Windows\SysWOW64\Gdljbp32.exe family_berbew C:\Windows\SysWOW64\Giffeg32.exe family_berbew C:\Windows\SysWOW64\Gllhaa32.exe family_berbew C:\Windows\SysWOW64\Hceqnlnf.exe family_berbew C:\Windows\SysWOW64\Hkcbhn32.exe family_berbew C:\Windows\SysWOW64\Hgjbmoob.exe family_berbew C:\Windows\SysWOW64\Hoakolod.exe family_berbew C:\Windows\SysWOW64\Hjmhdi32.exe family_berbew C:\Windows\SysWOW64\Ichico32.exe family_berbew C:\Windows\SysWOW64\Ijaapifk.exe family_berbew C:\Windows\SysWOW64\Iqljlb32.exe family_berbew C:\Windows\SysWOW64\Ibmfdkcf.exe family_berbew C:\Windows\SysWOW64\Iigoqe32.exe family_berbew C:\Windows\SysWOW64\Ioagno32.exe family_berbew C:\Windows\SysWOW64\Ibocjk32.exe family_berbew C:\Windows\SysWOW64\Iiikfehq.exe family_berbew C:\Windows\SysWOW64\Joepio32.exe family_berbew C:\Windows\SysWOW64\Jgqemakf.exe family_berbew C:\Windows\SysWOW64\Jnkmjk32.exe family_berbew C:\Windows\SysWOW64\Jjanolhg.exe family_berbew C:\Windows\SysWOW64\Jmpjkggj.exe family_berbew C:\Windows\SysWOW64\Jpqclb32.exe family_berbew C:\Windows\SysWOW64\Jjfgjk32.exe family_berbew C:\Windows\SysWOW64\Kappfeln.exe family_berbew C:\Windows\SysWOW64\Kcolba32.exe family_berbew C:\Windows\SysWOW64\Kikdkh32.exe family_berbew C:\Windows\SysWOW64\Kmgpkfab.exe family_berbew C:\Windows\SysWOW64\Kmimafop.exe family_berbew C:\Windows\SysWOW64\Kfaajlfp.exe family_berbew C:\Windows\SysWOW64\Khcnad32.exe family_berbew C:\Windows\SysWOW64\Kbhbom32.exe family_berbew C:\Windows\SysWOW64\Kjcgco32.exe family_berbew C:\Windows\SysWOW64\Kdlkld32.exe family_berbew C:\Windows\SysWOW64\Lmdpejfq.exe family_berbew C:\Windows\SysWOW64\Lhjdbcef.exe family_berbew C:\Windows\SysWOW64\Lodlom32.exe family_berbew C:\Windows\SysWOW64\Lhlqhb32.exe family_berbew C:\Windows\SysWOW64\Lkmjin32.exe family_berbew C:\Windows\SysWOW64\Lpjbad32.exe family_berbew C:\Windows\SysWOW64\Libgjj32.exe family_berbew C:\Windows\SysWOW64\Mcjkcplm.exe family_berbew C:\Windows\SysWOW64\Moalhq32.exe family_berbew C:\Windows\SysWOW64\Mhjpaf32.exe family_berbew C:\Windows\SysWOW64\Mhlmgf32.exe family_berbew C:\Windows\SysWOW64\Mepnpj32.exe family_berbew C:\Windows\SysWOW64\Mgajhbkg.exe family_berbew C:\Windows\SysWOW64\Mohbip32.exe family_berbew C:\Windows\SysWOW64\Mgcgmb32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Eafkfb32.exeEfcdoipc.exeEplhgn32.exeEjameg32.exeEidmqdmd.exeFekneebh.exeFmbefbck.exeFocbnj32.exeFhlfgppj.exeFklpik32.exeFbcgjh32.exeFebcfd32.exeFlllcndm.exeFmmhjf32.exeFdgqgqah.exeGkaidjhe.exeGheimogo.exeGiffeg32.exeGdljbp32.exeGgjfnk32.exeGmdoke32.exeGpbkgq32.exeGdnghpkq.exeGglcdkjd.exeGliklahk.exeGohhhmgo.exeGccdil32.exeGeapeg32.exeGllhaa32.exeGpgdbpob.exeHceqnlnf.exeHahqjh32.exeHedmkgmi.exeHlnega32.exeHchmdklc.exeHefipfkg.exeHheelbjj.exeHlpamq32.exeHkcbhn32.exeHnandi32.exeHdkfacpo.exeHgjbmoob.exeHoakolod.exeHaogkgoh.exeHdncgbnl.exeHglocnmp.exeHjkkojlc.exeHbbcpg32.exeHqddldcp.exeHdpplb32.exeHgolhn32.exeHjmhdi32.exeImkdqe32.exeIqgqacam.exeIcemmopa.exeIgainn32.exeIjoeji32.exeInkakhpg.exeImnafd32.exeIqimgc32.exeIchico32.exeIgcecmfg.exeIjaapifk.exeIidbke32.exepid process 2504 Eafkfb32.exe 2648 Efcdoipc.exe 2748 Eplhgn32.exe 1664 Ejameg32.exe 2428 Eidmqdmd.exe 2100 Fekneebh.exe 1212 Fmbefbck.exe 2588 Focbnj32.exe 1532 Fhlfgppj.exe 2304 Fklpik32.exe 1612 Fbcgjh32.exe 1080 Febcfd32.exe 1704 Flllcndm.exe 2380 Fmmhjf32.exe 2088 Fdgqgqah.exe 488 Gkaidjhe.exe 864 Gheimogo.exe 2968 Giffeg32.exe 1316 Gdljbp32.exe 2132 Ggjfnk32.exe 876 Gmdoke32.exe 1724 Gpbkgq32.exe 1948 Gdnghpkq.exe 1444 Gglcdkjd.exe 2288 Gliklahk.exe 1548 Gohhhmgo.exe 2568 Gccdil32.exe 2516 Geapeg32.exe 2408 Gllhaa32.exe 2456 Gpgdbpob.exe 1276 Hceqnlnf.exe 2436 Hahqjh32.exe 2808 Hedmkgmi.exe 1252 Hlnega32.exe 2708 Hchmdklc.exe 1332 Hefipfkg.exe 2024 Hheelbjj.exe 2072 Hlpamq32.exe 1456 Hkcbhn32.exe 604 Hnandi32.exe 2116 Hdkfacpo.exe 276 Hgjbmoob.exe 1872 Hoakolod.exe 952 Haogkgoh.exe 1984 Hdncgbnl.exe 1224 Hglocnmp.exe 1648 Hjkkojlc.exe 1540 Hbbcpg32.exe 2668 Hqddldcp.exe 2524 Hdpplb32.exe 2852 Hgolhn32.exe 868 Hjmhdi32.exe 2740 Imkdqe32.exe 1272 Iqgqacam.exe 2732 Icemmopa.exe 1028 Igainn32.exe 1616 Ijoeji32.exe 2488 Inkakhpg.exe 2692 Imnafd32.exe 2972 Iqimgc32.exe 1068 Ichico32.exe 924 Igcecmfg.exe 1656 Ijaapifk.exe 1976 Iidbke32.exe -
Loads dropped DLL 64 IoCs
Processes:
1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exeEafkfb32.exeEfcdoipc.exeEplhgn32.exeEjameg32.exeEidmqdmd.exeFekneebh.exeFmbefbck.exeFocbnj32.exeFhlfgppj.exeFklpik32.exeFbcgjh32.exeFebcfd32.exeFlllcndm.exeFmmhjf32.exeFdgqgqah.exeGkaidjhe.exeGheimogo.exeGiffeg32.exeGdljbp32.exeGgjfnk32.exeGmdoke32.exeGpbkgq32.exeGdnghpkq.exeGglcdkjd.exeGliklahk.exeGohhhmgo.exeGccdil32.exeGeapeg32.exeGllhaa32.exeGpgdbpob.exeHceqnlnf.exepid process 1756 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe 1756 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe 2504 Eafkfb32.exe 2504 Eafkfb32.exe 2648 Efcdoipc.exe 2648 Efcdoipc.exe 2748 Eplhgn32.exe 2748 Eplhgn32.exe 1664 Ejameg32.exe 1664 Ejameg32.exe 2428 Eidmqdmd.exe 2428 Eidmqdmd.exe 2100 Fekneebh.exe 2100 Fekneebh.exe 1212 Fmbefbck.exe 1212 Fmbefbck.exe 2588 Focbnj32.exe 2588 Focbnj32.exe 1532 Fhlfgppj.exe 1532 Fhlfgppj.exe 2304 Fklpik32.exe 2304 Fklpik32.exe 1612 Fbcgjh32.exe 1612 Fbcgjh32.exe 1080 Febcfd32.exe 1080 Febcfd32.exe 1704 Flllcndm.exe 1704 Flllcndm.exe 2380 Fmmhjf32.exe 2380 Fmmhjf32.exe 2088 Fdgqgqah.exe 2088 Fdgqgqah.exe 488 Gkaidjhe.exe 488 Gkaidjhe.exe 864 Gheimogo.exe 864 Gheimogo.exe 2968 Giffeg32.exe 2968 Giffeg32.exe 1316 Gdljbp32.exe 1316 Gdljbp32.exe 2132 Ggjfnk32.exe 2132 Ggjfnk32.exe 876 Gmdoke32.exe 876 Gmdoke32.exe 1724 Gpbkgq32.exe 1724 Gpbkgq32.exe 1948 Gdnghpkq.exe 1948 Gdnghpkq.exe 1444 Gglcdkjd.exe 1444 Gglcdkjd.exe 2288 Gliklahk.exe 2288 Gliklahk.exe 1548 Gohhhmgo.exe 1548 Gohhhmgo.exe 2568 Gccdil32.exe 2568 Gccdil32.exe 2516 Geapeg32.exe 2516 Geapeg32.exe 2408 Gllhaa32.exe 2408 Gllhaa32.exe 2456 Gpgdbpob.exe 2456 Gpgdbpob.exe 1276 Hceqnlnf.exe 1276 Hceqnlnf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Iblpjdpk.exeJnemdecl.exeKemejc32.exeCdgneh32.exeDpbheh32.exeDggcffhg.exeQnfjna32.exeBdooajdc.exeHnagjbdf.exeHhjhkq32.exeJgqemakf.exeMaphdl32.exeAbmibdlh.exeIhdkao32.exeJqfffqpm.exeDbehoa32.exeIfcbodli.exeNaajoinb.exeJnmjok32.exeObnqem32.exeBeehencq.exePogclp32.exeBdgafdfp.exeBhigphio.exeMigpeiag.exeCnippoha.exeJehkodcm.exeCkjpacfp.exeHchmdklc.exeKeikqhhe.exeLlqcfe32.exeMgcgmb32.exeNmjblg32.exePfdpip32.exeEmieil32.exeIoojhpdb.exeJeplkf32.exeOcajbekl.exeBingpmnl.exeCllpkl32.exeGonnhhln.exeQbcpbo32.exeCnmehnan.exeNnnojlpa.exeNhlifi32.exeIdceea32.exeIfnechbj.exeMkgfckcj.exeMpigfa32.exeDndlim32.exeDlkepi32.exeGoddhg32.exeIgkdgk32.exeFmmhjf32.exeIqimgc32.exeKfmhol32.exeMkjica32.exeOgfpbeim.exeQhmbagfa.exeBoqbfb32.exeBblogakg.exeCafecmlj.exeCeaadk32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Iqopea32.exe Iblpjdpk.exe File created C:\Windows\SysWOW64\Jmhmpb32.exe Jnemdecl.exe File opened for modification C:\Windows\SysWOW64\Kgkafo32.exe Kemejc32.exe File created C:\Windows\SysWOW64\Chbjffad.exe Cdgneh32.exe File created C:\Windows\SysWOW64\Doehqead.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Dkcofe32.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Lbjhdo32.dll Qnfjna32.exe File opened for modification C:\Windows\SysWOW64\Bcaomf32.exe Bdooajdc.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File opened for modification C:\Windows\SysWOW64\Jjoailji.exe Jgqemakf.exe File created C:\Windows\SysWOW64\Aodnnc32.dll Maphdl32.exe File created C:\Windows\SysWOW64\Ajdadamj.exe Abmibdlh.exe File created C:\Windows\SysWOW64\Nolcnd32.dll Ihdkao32.exe File opened for modification C:\Windows\SysWOW64\Joifam32.exe Jqfffqpm.exe File created C:\Windows\SysWOW64\Kgkafo32.exe Kemejc32.exe File created C:\Windows\SysWOW64\Dqhhknjp.exe Dbehoa32.exe File opened for modification C:\Windows\SysWOW64\Idfbkq32.exe Ifcbodli.exe File created C:\Windows\SysWOW64\Npdjje32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Jmpjkggj.exe Jnmjok32.exe File opened for modification C:\Windows\SysWOW64\Oqqapjnk.exe Obnqem32.exe File created C:\Windows\SysWOW64\Bdhhqk32.exe Beehencq.exe File opened for modification C:\Windows\SysWOW64\Pbfpik32.exe Pogclp32.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Bdgafdfp.exe File created C:\Windows\SysWOW64\Okphjd32.dll Bhigphio.exe File created C:\Windows\SysWOW64\Mhjpaf32.exe Migpeiag.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cnippoha.exe File created C:\Windows\SysWOW64\Dlmfmihf.dll Jehkodcm.exe File created C:\Windows\SysWOW64\Eekkdc32.dll Ckjpacfp.exe File created C:\Windows\SysWOW64\Fdmneogq.dll Hchmdklc.exe File created C:\Windows\SysWOW64\Ggnncj32.dll Keikqhhe.exe File created C:\Windows\SysWOW64\Lplogdmj.exe Llqcfe32.exe File created C:\Windows\SysWOW64\Peegic32.dll Mgcgmb32.exe File created C:\Windows\SysWOW64\Ohgbmh32.dll Nmjblg32.exe File opened for modification C:\Windows\SysWOW64\Piblek32.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Qffmipmp.dll Emieil32.exe File created C:\Windows\SysWOW64\Qmekfeeo.dll Ioojhpdb.exe File created C:\Windows\SysWOW64\Nkfbjneg.dll Jeplkf32.exe File created C:\Windows\SysWOW64\Ahaloofd.dll Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Bhahlj32.exe Bingpmnl.exe File created C:\Windows\SysWOW64\Fgdqfpma.dll Cllpkl32.exe File created C:\Windows\SysWOW64\Gbijhg32.exe Gonnhhln.exe File opened for modification C:\Windows\SysWOW64\Qfokbnip.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Gdidec32.dll Cnmehnan.exe File created C:\Windows\SysWOW64\Jagbha32.dll Nnnojlpa.exe File opened for modification C:\Windows\SysWOW64\Nlgefh32.exe Nhlifi32.exe File created C:\Windows\SysWOW64\Amammd32.dll Idceea32.exe File created C:\Windows\SysWOW64\Goipbehm.dll Ifnechbj.exe File opened for modification C:\Windows\SysWOW64\Mijfnh32.exe Mkgfckcj.exe File created C:\Windows\SysWOW64\Jbkpmm32.dll Mpigfa32.exe File created C:\Windows\SysWOW64\Dlgldibq.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Dknekeef.exe Dlkepi32.exe File created C:\Windows\SysWOW64\Febhomkh.dll Goddhg32.exe File created C:\Windows\SysWOW64\Jfojbj32.dll Igkdgk32.exe File created C:\Windows\SysWOW64\Fdgqgqah.exe Fmmhjf32.exe File opened for modification C:\Windows\SysWOW64\Ichico32.exe Iqimgc32.exe File created C:\Windows\SysWOW64\Dlnqnenm.dll Kfmhol32.exe File created C:\Windows\SysWOW64\Ljfekqdn.dll Mkjica32.exe File created C:\Windows\SysWOW64\Fiedkadc.dll Ogfpbeim.exe File created C:\Windows\SysWOW64\Qlhnbf32.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Njabih32.dll Boqbfb32.exe File created C:\Windows\SysWOW64\Kclhicjn.dll Bblogakg.exe File created C:\Windows\SysWOW64\Ceaadk32.exe Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Ceaadk32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 10156 10132 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Mmhodf32.exeOnhgbmfb.exeAoepcn32.exeBpleef32.exeOojknblb.exeCfbhnaho.exeFbgmbg32.exeIfnechbj.exeOjcecjee.exeQcbllb32.exeCklmgb32.exeLmkfei32.exeGlfhll32.exeNoqamn32.exeNkiogn32.exeMlkopcge.exeCnkicn32.exeKnjiin32.exeDcfdgiid.exeHpmgqnfl.exeIblpjdpk.exeFmbefbck.exeClcflkic.exePqkmjh32.exeGaemjbcg.exeHahjpbad.exeIhdkao32.exeKmopod32.exeEjameg32.exeNfmmin32.exePfiidobe.exePabjem32.exeMpbaebdd.exeAaobdjof.exeEbjglbml.exeBopicc32.exeGpmjak32.exeKemejc32.exePdaoog32.exeImnafd32.exeKhcnad32.exePminkk32.exeQjknnbed.exeQimhoi32.exeAidnohbk.exeDbbkja32.exeEnihne32.exeEfcfga32.exeKeoapb32.exeDliijipn.exeEffcma32.exeMhjpaf32.exeOnphoo32.exePbmmcq32.exeClaifkkf.exeCndbcc32.exeNlphkb32.exeOnmdoioa.exeBoqbfb32.exeGllhaa32.exeHoakolod.exeIfhbdj32.exeJcjbgaog.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnbfd32.dll" Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" Oojknblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojcecjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcbllb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqckbobk.dll" Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Glfhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkiogn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnhbba.dll" Cnkicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knjiin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll" Dcfdgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbenqa32.dll" Fmbefbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihdkao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkbph32.dll" Ejameg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmgmp32.dll" Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealffeej.dll" Pfiidobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqiaclmk.dll" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llinacgg.dll" Imnafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khcnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojiha32.dll" Qjknnbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aidnohbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enihne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolcnd32.dll" Ihdkao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffbcfgd.dll" Onphoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbmmcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Claifkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmdoioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngjgjndh.dll" Gllhaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoakolod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmiobd32.dll" Ifhbdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcjbgaog.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exeEafkfb32.exeEfcdoipc.exeEplhgn32.exeEjameg32.exeEidmqdmd.exeFekneebh.exeFmbefbck.exeFocbnj32.exeFhlfgppj.exeFklpik32.exeFbcgjh32.exeFebcfd32.exeFlllcndm.exeFmmhjf32.exeFdgqgqah.exedescription pid process target process PID 1756 wrote to memory of 2504 1756 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe Eafkfb32.exe PID 1756 wrote to memory of 2504 1756 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe Eafkfb32.exe PID 1756 wrote to memory of 2504 1756 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe Eafkfb32.exe PID 1756 wrote to memory of 2504 1756 1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe Eafkfb32.exe PID 2504 wrote to memory of 2648 2504 Eafkfb32.exe Efcdoipc.exe PID 2504 wrote to memory of 2648 2504 Eafkfb32.exe Efcdoipc.exe PID 2504 wrote to memory of 2648 2504 Eafkfb32.exe Efcdoipc.exe PID 2504 wrote to memory of 2648 2504 Eafkfb32.exe Efcdoipc.exe PID 2648 wrote to memory of 2748 2648 Efcdoipc.exe Eplhgn32.exe PID 2648 wrote to memory of 2748 2648 Efcdoipc.exe Eplhgn32.exe PID 2648 wrote to memory of 2748 2648 Efcdoipc.exe Eplhgn32.exe PID 2648 wrote to memory of 2748 2648 Efcdoipc.exe Eplhgn32.exe PID 2748 wrote to memory of 1664 2748 Eplhgn32.exe Ejameg32.exe PID 2748 wrote to memory of 1664 2748 Eplhgn32.exe Ejameg32.exe PID 2748 wrote to memory of 1664 2748 Eplhgn32.exe Ejameg32.exe PID 2748 wrote to memory of 1664 2748 Eplhgn32.exe Ejameg32.exe PID 1664 wrote to memory of 2428 1664 Ejameg32.exe Eidmqdmd.exe PID 1664 wrote to memory of 2428 1664 Ejameg32.exe Eidmqdmd.exe PID 1664 wrote to memory of 2428 1664 Ejameg32.exe Eidmqdmd.exe PID 1664 wrote to memory of 2428 1664 Ejameg32.exe Eidmqdmd.exe PID 2428 wrote to memory of 2100 2428 Eidmqdmd.exe Fekneebh.exe PID 2428 wrote to memory of 2100 2428 Eidmqdmd.exe Fekneebh.exe PID 2428 wrote to memory of 2100 2428 Eidmqdmd.exe Fekneebh.exe PID 2428 wrote to memory of 2100 2428 Eidmqdmd.exe Fekneebh.exe PID 2100 wrote to memory of 1212 2100 Fekneebh.exe Fmbefbck.exe PID 2100 wrote to memory of 1212 2100 Fekneebh.exe Fmbefbck.exe PID 2100 wrote to memory of 1212 2100 Fekneebh.exe Fmbefbck.exe PID 2100 wrote to memory of 1212 2100 Fekneebh.exe Fmbefbck.exe PID 1212 wrote to memory of 2588 1212 Fmbefbck.exe Focbnj32.exe PID 1212 wrote to memory of 2588 1212 Fmbefbck.exe Focbnj32.exe PID 1212 wrote to memory of 2588 1212 Fmbefbck.exe Focbnj32.exe PID 1212 wrote to memory of 2588 1212 Fmbefbck.exe Focbnj32.exe PID 2588 wrote to memory of 1532 2588 Focbnj32.exe Fhlfgppj.exe PID 2588 wrote to memory of 1532 2588 Focbnj32.exe Fhlfgppj.exe PID 2588 wrote to memory of 1532 2588 Focbnj32.exe Fhlfgppj.exe PID 2588 wrote to memory of 1532 2588 Focbnj32.exe Fhlfgppj.exe PID 1532 wrote to memory of 2304 1532 Fhlfgppj.exe Fklpik32.exe PID 1532 wrote to memory of 2304 1532 Fhlfgppj.exe Fklpik32.exe PID 1532 wrote to memory of 2304 1532 Fhlfgppj.exe Fklpik32.exe PID 1532 wrote to memory of 2304 1532 Fhlfgppj.exe Fklpik32.exe PID 2304 wrote to memory of 1612 2304 Fklpik32.exe Fbcgjh32.exe PID 2304 wrote to memory of 1612 2304 Fklpik32.exe Fbcgjh32.exe PID 2304 wrote to memory of 1612 2304 Fklpik32.exe Fbcgjh32.exe PID 2304 wrote to memory of 1612 2304 Fklpik32.exe Fbcgjh32.exe PID 1612 wrote to memory of 1080 1612 Fbcgjh32.exe Febcfd32.exe PID 1612 wrote to memory of 1080 1612 Fbcgjh32.exe Febcfd32.exe PID 1612 wrote to memory of 1080 1612 Fbcgjh32.exe Febcfd32.exe PID 1612 wrote to memory of 1080 1612 Fbcgjh32.exe Febcfd32.exe PID 1080 wrote to memory of 1704 1080 Febcfd32.exe Flllcndm.exe PID 1080 wrote to memory of 1704 1080 Febcfd32.exe Flllcndm.exe PID 1080 wrote to memory of 1704 1080 Febcfd32.exe Flllcndm.exe PID 1080 wrote to memory of 1704 1080 Febcfd32.exe Flllcndm.exe PID 1704 wrote to memory of 2380 1704 Flllcndm.exe Fmmhjf32.exe PID 1704 wrote to memory of 2380 1704 Flllcndm.exe Fmmhjf32.exe PID 1704 wrote to memory of 2380 1704 Flllcndm.exe Fmmhjf32.exe PID 1704 wrote to memory of 2380 1704 Flllcndm.exe Fmmhjf32.exe PID 2380 wrote to memory of 2088 2380 Fmmhjf32.exe Fdgqgqah.exe PID 2380 wrote to memory of 2088 2380 Fmmhjf32.exe Fdgqgqah.exe PID 2380 wrote to memory of 2088 2380 Fmmhjf32.exe Fdgqgqah.exe PID 2380 wrote to memory of 2088 2380 Fmmhjf32.exe Fdgqgqah.exe PID 2088 wrote to memory of 488 2088 Fdgqgqah.exe Gkaidjhe.exe PID 2088 wrote to memory of 488 2088 Fdgqgqah.exe Gkaidjhe.exe PID 2088 wrote to memory of 488 2088 Fdgqgqah.exe Gkaidjhe.exe PID 2088 wrote to memory of 488 2088 Fdgqgqah.exe Gkaidjhe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1a77d5ecd2fa27578d658e03657ab7c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Eafkfb32.exeC:\Windows\system32\Eafkfb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Efcdoipc.exeC:\Windows\system32\Efcdoipc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Eplhgn32.exeC:\Windows\system32\Eplhgn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ejameg32.exeC:\Windows\system32\Ejameg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Eidmqdmd.exeC:\Windows\system32\Eidmqdmd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Fekneebh.exeC:\Windows\system32\Fekneebh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Fmbefbck.exeC:\Windows\system32\Fmbefbck.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Focbnj32.exeC:\Windows\system32\Focbnj32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Fhlfgppj.exeC:\Windows\system32\Fhlfgppj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Fklpik32.exeC:\Windows\system32\Fklpik32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Fbcgjh32.exeC:\Windows\system32\Fbcgjh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Febcfd32.exeC:\Windows\system32\Febcfd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Flllcndm.exeC:\Windows\system32\Flllcndm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Fmmhjf32.exeC:\Windows\system32\Fmmhjf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Fdgqgqah.exeC:\Windows\system32\Fdgqgqah.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Gkaidjhe.exeC:\Windows\system32\Gkaidjhe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:488 -
C:\Windows\SysWOW64\Gheimogo.exeC:\Windows\system32\Gheimogo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Giffeg32.exeC:\Windows\system32\Giffeg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Gdljbp32.exeC:\Windows\system32\Gdljbp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Ggjfnk32.exeC:\Windows\system32\Ggjfnk32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Gmdoke32.exeC:\Windows\system32\Gmdoke32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Gpbkgq32.exeC:\Windows\system32\Gpbkgq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Gglcdkjd.exeC:\Windows\system32\Gglcdkjd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Gliklahk.exeC:\Windows\system32\Gliklahk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Gohhhmgo.exeC:\Windows\system32\Gohhhmgo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Gccdil32.exeC:\Windows\system32\Gccdil32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Geapeg32.exeC:\Windows\system32\Geapeg32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Gllhaa32.exeC:\Windows\system32\Gllhaa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Gpgdbpob.exeC:\Windows\system32\Gpgdbpob.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Hceqnlnf.exeC:\Windows\system32\Hceqnlnf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Hahqjh32.exeC:\Windows\system32\Hahqjh32.exe33⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe34⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe35⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe37⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe38⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe39⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Hkcbhn32.exeC:\Windows\system32\Hkcbhn32.exe40⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Hnandi32.exeC:\Windows\system32\Hnandi32.exe41⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Hdkfacpo.exeC:\Windows\system32\Hdkfacpo.exe42⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe43⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe45⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe46⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe47⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe48⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe50⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe51⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe52⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe53⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe54⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe55⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe56⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe57⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe58⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe59⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe62⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe63⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe64⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe65⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:900 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe67⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe68⤵PID:2904
-
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe69⤵
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe70⤵PID:2584
-
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe71⤵PID:2472
-
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe72⤵PID:2240
-
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe73⤵PID:592
-
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe74⤵PID:2376
-
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe75⤵PID:1936
-
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe76⤵PID:1780
-
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe77⤵PID:1960
-
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe78⤵PID:700
-
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe79⤵PID:288
-
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe80⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe81⤵PID:1572
-
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe82⤵PID:2976
-
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe84⤵PID:2644
-
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe86⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe87⤵PID:860
-
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe88⤵PID:1268
-
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe89⤵PID:2232
-
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe90⤵PID:344
-
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:328 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe92⤵PID:804
-
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe93⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe94⤵PID:2144
-
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe95⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe96⤵PID:932
-
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe97⤵PID:1588
-
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe98⤵PID:1280
-
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe99⤵PID:1924
-
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe100⤵PID:2224
-
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe101⤵PID:1700
-
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe102⤵PID:584
-
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe103⤵PID:3068
-
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe104⤵PID:2556
-
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe105⤵PID:2432
-
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe106⤵PID:1748
-
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe107⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe108⤵PID:2576
-
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe109⤵PID:2372
-
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe110⤵PID:1372
-
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe111⤵PID:1716
-
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe112⤵PID:1600
-
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe113⤵PID:1696
-
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe114⤵PID:2720
-
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe115⤵PID:1932
-
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe116⤵PID:2036
-
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe118⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe119⤵PID:1464
-
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe120⤵PID:2616
-
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe121⤵PID:984
-
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe122⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe123⤵PID:2696
-
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe124⤵PID:2460
-
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe125⤵PID:2396
-
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe126⤵PID:2636
-
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe127⤵PID:2688
-
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe129⤵PID:2260
-
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe131⤵PID:2184
-
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe132⤵PID:1376
-
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe133⤵PID:2764
-
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe134⤵PID:1448
-
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe135⤵PID:1416
-
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe136⤵PID:1784
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe137⤵PID:2160
-
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe138⤵PID:2624
-
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe139⤵PID:1524
-
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe140⤵PID:1560
-
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe141⤵PID:676
-
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe142⤵PID:2148
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe143⤵PID:448
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe144⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe145⤵PID:608
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe146⤵PID:2836
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe147⤵PID:1620
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe148⤵PID:2980
-
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe149⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe150⤵PID:788
-
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe151⤵PID:1904
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe152⤵PID:2208
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe153⤵PID:1300
-
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe154⤵PID:1596
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe155⤵
- Drops file in System32 directory
PID:240 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe156⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe157⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe158⤵PID:1520
-
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe159⤵PID:2092
-
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe160⤵
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe161⤵PID:2368
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe162⤵PID:1216
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe163⤵PID:1084
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe164⤵PID:2604
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe165⤵PID:1564
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe166⤵PID:1500
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe167⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe168⤵PID:3044
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe169⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe170⤵PID:1492
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe171⤵PID:2712
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe172⤵PID:1528
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe173⤵PID:1592
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe174⤵PID:1732
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe175⤵PID:2916
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe176⤵PID:2628
-
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe177⤵PID:2340
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe178⤵PID:2108
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe179⤵PID:3100
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3140 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe181⤵PID:3180
-
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe182⤵PID:3220
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe183⤵PID:3260
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe184⤵PID:3300
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe185⤵PID:3340
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe186⤵PID:3380
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe187⤵PID:3420
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe188⤵
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3500 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe190⤵
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe191⤵PID:3580
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe192⤵PID:3620
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe193⤵PID:3660
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe194⤵PID:3700
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe195⤵PID:3740
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe196⤵PID:3768
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe197⤵PID:3792
-
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe198⤵PID:3832
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe199⤵
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe200⤵PID:3912
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe201⤵PID:3952
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe202⤵PID:3992
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe203⤵PID:4032
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4072 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe205⤵PID:3092
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe206⤵PID:3080
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe207⤵
- Modifies registry class
PID:3192 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe208⤵PID:3248
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe209⤵PID:3296
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe210⤵PID:3352
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe211⤵PID:3404
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3456 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe213⤵PID:3508
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe214⤵PID:3564
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe215⤵
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe216⤵PID:3628
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe217⤵PID:3672
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3724 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe219⤵PID:3776
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe220⤵PID:3840
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe221⤵PID:384
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe222⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe223⤵PID:3948
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4008 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe225⤵PID:4048
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe226⤵PID:4080
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe227⤵PID:3320
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe228⤵PID:3176
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe229⤵PID:3244
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe230⤵PID:3280
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe231⤵PID:3368
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe232⤵
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe233⤵PID:3476
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe234⤵PID:3548
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe235⤵PID:3616
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe236⤵PID:3692
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe237⤵
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe238⤵PID:3828
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe239⤵PID:3804
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe240⤵PID:2868
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe241⤵PID:3980
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe242⤵PID:4056