Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 01:18
Behavioral task
behavioral1
Sample
1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe
-
Size
108KB
-
MD5
1af96b8fbb73ee88c199ca85e4bbfdf0
-
SHA1
eae414813c0ceb39f05b7d83a81df87af9ba6b2d
-
SHA256
7ce15050a3854493ef4d860cc954796c5afd8f3b35fda322003d24e8e38b47ba
-
SHA512
5318af529f444daad1f05433b5557e1dd268f4834a68123681ee525c0e2818cf813891431941246b081d08fe3c6555d0b9dd9c8873ceb04acbe77d4cdb83636e
-
SSDEEP
1536:ERuyV5H0BroA6wLt44AKL0jqZKMwB+rjm8NiIqhn3HQ8BawTj2wQ3K:CV5UBro1zqZYUjmOiBn3w8BdTj2h3K
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lcgblncm.exeMgghhlhq.exeMglack32.exeGbjhlfhb.exeDlegeemh.exeDllmfd32.exeIbagcc32.exeKkbkamnl.exeNdidbn32.exeBbhqjchp.exeFqaeco32.exeBehiln32.exeElccfc32.exeHimcoo32.exeNcgkcl32.exeAldegj32.exeFflaff32.exeDljqpd32.exeAemjpp32.exeDjnaji32.exeEcbenm32.exeFicgacna.exeMcnhmm32.exeBlnhni32.exeDcopbp32.exeEbbidj32.exeMjqjih32.exeNacbfdao.exeOkmfpm32.exeBaojaoke.exeKmegbjgn.exeBoanecla.exeCpgqpe32.exeCcfmla32.exeEjlmkgkl.exePijjpp32.exeQefdpq32.exeAhppgjjl.exeEqalmafo.exeJdjfcecp.exeMajopeii.exeMnfipekh.exeQlpllkmc.exeAoqenf32.exeAifiko32.exeDofpgqji.exePaendb32.exeGpklpkio.exeImihfl32.exeQbjdiedp.exeFqkocpod.exeNgpjnkpf.exePpgobjia.exeFfekegon.exeGmkbnp32.exeGoiojk32.exeDphifcoi.exeFcnejk32.exeMahbje32.exeOphbqlea.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgblncm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgghhlhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjhlfhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlegeemh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dllmfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibagcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkbkamnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhqjchp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqaeco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behiln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elccfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgkcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldegj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflaff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljqpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnaji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aemjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnhni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcopbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbidj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjqjih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacbfdao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okmfpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baojaoke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmegbjgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boanecla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgqpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccfmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejlmkgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijjpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qefdpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahppgjjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqalmafo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Majopeii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfipekh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijjpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlpllkmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoqenf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aifiko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dofpgqji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paendb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpklpkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbjdiedp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqkocpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpjnkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgobjia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffekegon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmkbnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiojk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphifcoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ophbqlea.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral2/memory/772-0-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Oilmnbpg.exe family_berbew behavioral2/memory/2044-7-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Okkjjnok.exe family_berbew behavioral2/memory/3508-20-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Obdbgh32.exe family_berbew behavioral2/memory/4692-28-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/memory/1372-31-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Oagbbdnb.exe family_berbew C:\Windows\SysWOW64\Okmfpm32.exe family_berbew behavioral2/memory/1160-40-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Ophbqlea.exe family_berbew behavioral2/memory/1164-52-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Obgomgee.exe family_berbew behavioral2/memory/2180-56-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Oiagia32.exe family_berbew behavioral2/memory/4988-64-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Opkoflco.exe family_berbew behavioral2/memory/2144-72-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Oalknd32.exe family_berbew behavioral2/memory/3732-80-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Olapkmic.exe family_berbew behavioral2/memory/4788-87-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pblhhg32.exe family_berbew behavioral2/memory/2792-95-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pejddb32.exe family_berbew behavioral2/memory/4476-103-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pldlqlgp.exe family_berbew behavioral2/memory/4472-111-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pbndmf32.exe family_berbew behavioral2/memory/4436-120-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pihmjqfj.exe family_berbew behavioral2/memory/4820-128-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Plfiflen.exe family_berbew behavioral2/memory/32-135-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pbpacfmj.exe family_berbew behavioral2/memory/1388-144-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pijjpp32.exe family_berbew behavioral2/memory/1248-152-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Plifll32.exe family_berbew behavioral2/memory/2820-160-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pngbhg32.exe family_berbew behavioral2/memory/4768-168-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/memory/4012-176-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Paendb32.exe family_berbew C:\Windows\SysWOW64\Phpfqmio.exe family_berbew behavioral2/memory/3524-184-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Ppgobjia.exe family_berbew behavioral2/memory/4868-192-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pbekne32.exe family_berbew behavioral2/memory/3304-199-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Piockppb.exe family_berbew behavioral2/memory/4048-208-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Plmogkoe.exe family_berbew behavioral2/memory/4908-216-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Qnlkcfni.exe family_berbew behavioral2/memory/3748-223-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Qefdpq32.exe family_berbew behavioral2/memory/652-236-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/memory/3540-244-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew C:\Windows\SysWOW64\Qlpllkmc.exe family_berbew C:\Windows\SysWOW64\Qbjdiedp.exe family_berbew C:\Windows\SysWOW64\Qehqepcc.exe family_berbew behavioral2/memory/224-253-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Oilmnbpg.exeOkkjjnok.exeObdbgh32.exeOagbbdnb.exeOkmfpm32.exeOphbqlea.exeObgomgee.exeOiagia32.exeOpkoflco.exeOalknd32.exeOlapkmic.exePblhhg32.exePejddb32.exePldlqlgp.exePbndmf32.exePihmjqfj.exePlfiflen.exePbpacfmj.exePijjpp32.exePlifll32.exePngbhg32.exePaendb32.exePhpfqmio.exePpgobjia.exePbekne32.exePiockppb.exePlmogkoe.exeQnlkcfni.exeQefdpq32.exeQlpllkmc.exeQbjdiedp.exeQehqepcc.exeAlbibj32.exeAejmkpaq.exeAifiko32.exeAldegj32.exeAppahiag.exeAaanpa32.exeAemjpp32.exeAhkflk32.exeApbnnh32.exeAoeniefo.exeAackeqeb.exeAikbfnfd.exeAogkoedl.exeAbcgoc32.exeAeacko32.exeAhppgjjl.exeApggihko.exeAahdqp32.exeAiolam32.exeBlnhni32.exeBpidngil.exeBbhqjchp.exeBefmfngc.exeBhdibj32.exeBpladg32.exeBbjmpb32.exeBehiln32.exeBlbaihmn.exeBoanecla.exeBaojaoke.exeBlennh32.exeBockjc32.exepid process 2044 Oilmnbpg.exe 3508 Okkjjnok.exe 4692 Obdbgh32.exe 1372 Oagbbdnb.exe 1160 Okmfpm32.exe 1164 Ophbqlea.exe 2180 Obgomgee.exe 4988 Oiagia32.exe 2144 Opkoflco.exe 3732 Oalknd32.exe 4788 Olapkmic.exe 2792 Pblhhg32.exe 4476 Pejddb32.exe 4472 Pldlqlgp.exe 4436 Pbndmf32.exe 4820 Pihmjqfj.exe 32 Plfiflen.exe 1388 Pbpacfmj.exe 1248 Pijjpp32.exe 2820 Plifll32.exe 4768 Pngbhg32.exe 4012 Paendb32.exe 3524 Phpfqmio.exe 4868 Ppgobjia.exe 3304 Pbekne32.exe 4048 Piockppb.exe 4908 Plmogkoe.exe 3748 Qnlkcfni.exe 652 Qefdpq32.exe 3540 Qlpllkmc.exe 224 Qbjdiedp.exe 4592 Qehqepcc.exe 4392 Albibj32.exe 1812 Aejmkpaq.exe 4024 Aifiko32.exe 4484 Aldegj32.exe 768 Appahiag.exe 1028 Aaanpa32.exe 800 Aemjpp32.exe 740 Ahkflk32.exe 2084 Apbnnh32.exe 3384 Aoeniefo.exe 3604 Aackeqeb.exe 1020 Aikbfnfd.exe 5024 Aogkoedl.exe 3752 Abcgoc32.exe 4348 Aeacko32.exe 544 Ahppgjjl.exe 940 Apggihko.exe 1896 Aahdqp32.exe 684 Aiolam32.exe 560 Blnhni32.exe 4400 Bpidngil.exe 856 Bbhqjchp.exe 552 Befmfngc.exe 2868 Bhdibj32.exe 3676 Bpladg32.exe 4760 Bbjmpb32.exe 5020 Behiln32.exe 220 Blbaihmn.exe 4420 Boanecla.exe 1644 Baojaoke.exe 4380 Blennh32.exe 4488 Bockjc32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Aogkoedl.exeFbllkh32.exeLnhmng32.exeLcgblncm.exeMjeddggd.exeOkkjjnok.exeOkmfpm32.exeOiagia32.exeEjgdpg32.exeHibljoco.exeHccglh32.exePlfiflen.exeAikbfnfd.exeBlgkdg32.exeCefemliq.exeDagiil32.exeFcgoilpj.exeFckhdk32.exeJdhine32.exePiockppb.exeQbjdiedp.exeDephckaf.exeEpmcab32.exeEfpajh32.exeJmbklj32.exeLpcmec32.exeNqklmpdd.exeAackeqeb.exeBehiln32.exeBeppmmoi.exeEofinnkf.exeFhajlc32.exeLkiqbl32.exeLaopdgcg.exeMjqjih32.exeQehqepcc.exeFfbnph32.exeFjcclf32.exeIdofhfmm.exeJbhmdbnp.exeAaanpa32.exeBockjc32.exeCedihl32.exeElccfc32.exeJagqlj32.exeEbbidj32.exeNjljefql.exeOlapkmic.exeCpofpdgd.exeDohmlp32.exeDcdimopp.exeEhhgfdho.exeFfekegon.exeFijmbb32.exePbndmf32.exePijjpp32.exeBaojaoke.exeBaaggo32.exeCpjmee32.exeDadlclim.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Abcgoc32.exe Aogkoedl.exe File created C:\Windows\SysWOW64\Qfiapa32.dll Fbllkh32.exe File created C:\Windows\SysWOW64\Ldaeka32.exe Lnhmng32.exe File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe Lcgblncm.exe File created C:\Windows\SysWOW64\Mcnhmm32.exe Mjeddggd.exe File created C:\Windows\SysWOW64\Chjehioq.dll Okkjjnok.exe File opened for modification C:\Windows\SysWOW64\Ophbqlea.exe Okmfpm32.exe File created C:\Windows\SysWOW64\Opkoflco.exe Oiagia32.exe File created C:\Windows\SysWOW64\Eqalmafo.exe Ejgdpg32.exe File created C:\Windows\SysWOW64\Haidklda.exe Hibljoco.exe File created C:\Windows\SysWOW64\Gmlfmg32.dll Hccglh32.exe File created C:\Windows\SysWOW64\Pbpacfmj.exe Plfiflen.exe File created C:\Windows\SysWOW64\Aogkoedl.exe Aikbfnfd.exe File opened for modification C:\Windows\SysWOW64\Boegpc32.exe Blgkdg32.exe File created C:\Windows\SysWOW64\Coojfa32.exe Cefemliq.exe File created C:\Windows\SysWOW64\Lfmige32.dll Dagiil32.exe File created C:\Windows\SysWOW64\Mbfppi32.dll Fcgoilpj.exe File created C:\Windows\SysWOW64\Ffjdqg32.exe Fckhdk32.exe File opened for modification C:\Windows\SysWOW64\Jmpngk32.exe Jdhine32.exe File opened for modification C:\Windows\SysWOW64\Plmogkoe.exe Piockppb.exe File opened for modification C:\Windows\SysWOW64\Qehqepcc.exe Qbjdiedp.exe File opened for modification C:\Windows\SysWOW64\Dljqpd32.exe Dephckaf.exe File created C:\Windows\SysWOW64\Fllceb32.dll Dephckaf.exe File created C:\Windows\SysWOW64\Gagaaq32.dll Epmcab32.exe File created C:\Windows\SysWOW64\Ejlmkgkl.exe Efpajh32.exe File created C:\Windows\SysWOW64\Nilhco32.dll Jmbklj32.exe File created C:\Windows\SysWOW64\Lkiqbl32.exe Lpcmec32.exe File created C:\Windows\SysWOW64\Bdknoa32.dll Nqklmpdd.exe File created C:\Windows\SysWOW64\Aikbfnfd.exe Aackeqeb.exe File created C:\Windows\SysWOW64\Blbaihmn.exe Behiln32.exe File created C:\Windows\SysWOW64\Chnlihnl.exe Beppmmoi.exe File opened for modification C:\Windows\SysWOW64\Ecbenm32.exe Eofinnkf.exe File created C:\Windows\SysWOW64\Llebfo32.dll Fhajlc32.exe File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe Lkiqbl32.exe File created C:\Windows\SysWOW64\Lgkhlnbn.exe Laopdgcg.exe File created C:\Windows\SysWOW64\Ibhblqpo.dll Mjqjih32.exe File opened for modification C:\Windows\SysWOW64\Obdbgh32.exe Okkjjnok.exe File created C:\Windows\SysWOW64\Albibj32.exe Qehqepcc.exe File created C:\Windows\SysWOW64\Bofjdo32.dll Ffbnph32.exe File opened for modification C:\Windows\SysWOW64\Fqmlhpla.exe Fjcclf32.exe File created C:\Windows\SysWOW64\Lpfihl32.dll Idofhfmm.exe File created C:\Windows\SysWOW64\Jjpeepnb.exe Jbhmdbnp.exe File created C:\Windows\SysWOW64\Kqpaojmf.dll Aaanpa32.exe File opened for modification C:\Windows\SysWOW64\Baaggo32.exe Bockjc32.exe File created C:\Windows\SysWOW64\Kbnhno32.dll Cedihl32.exe File created C:\Windows\SysWOW64\Ebploj32.exe Elccfc32.exe File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe Jagqlj32.exe File opened for modification C:\Windows\SysWOW64\Ejjqeg32.exe Ebbidj32.exe File created C:\Windows\SysWOW64\Nacbfdao.exe Njljefql.exe File opened for modification C:\Windows\SysWOW64\Pblhhg32.exe Olapkmic.exe File created C:\Windows\SysWOW64\Qehqepcc.exe Qbjdiedp.exe File created C:\Windows\SysWOW64\Digkijmd.exe Cpofpdgd.exe File opened for modification C:\Windows\SysWOW64\Dcdimopp.exe Dohmlp32.exe File opened for modification C:\Windows\SysWOW64\Dagiil32.exe Dcdimopp.exe File opened for modification C:\Windows\SysWOW64\Elccfc32.exe Ehhgfdho.exe File created C:\Windows\SysWOW64\Ndghmo32.exe Nqklmpdd.exe File opened for modification C:\Windows\SysWOW64\Fjqgff32.exe Ffekegon.exe File created C:\Windows\SysWOW64\Fqaeco32.exe Fijmbb32.exe File created C:\Windows\SysWOW64\Pihmjqfj.exe Pbndmf32.exe File opened for modification C:\Windows\SysWOW64\Plifll32.exe Pijjpp32.exe File opened for modification C:\Windows\SysWOW64\Blennh32.exe Baojaoke.exe File opened for modification C:\Windows\SysWOW64\Biiohl32.exe Baaggo32.exe File opened for modification C:\Windows\SysWOW64\Cchiaqjm.exe Cpjmee32.exe File created C:\Windows\SysWOW64\Njqijj32.dll Dadlclim.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 7344 8180 WerFault.exe Nkcmohbg.exe -
Modifies registry class 64 IoCs
Processes:
Oiagia32.exeDephckaf.exeHjmoibog.exeHibljoco.exeIiibkn32.exeGiacca32.exeAoqenf32.exeEofinnkf.exeEoifcnid.exeGbgkfg32.exeDadlclim.exeFomonm32.exePihmjqfj.exeHfjmgdlf.exeJdjfcecp.exeClldogdc.exePlfiflen.exeBaojaoke.exeLpcmec32.exeMaohkd32.exeAejmkpaq.exeGmoliohh.exeJpaghf32.exeKmgdgjek.exeGbcakg32.exePpgobjia.exeDcopbp32.exeKpepcedo.exePhpfqmio.exeChbedh32.exeEhhgfdho.exeEjlmkgkl.exeHadkpm32.exeMcpebmkb.exeCimhckeo.exeFfjdqg32.exeNdghmo32.exeKkbkamnl.exePldlqlgp.exeElccfc32.exeFqaeco32.exeIcgqggce.exeOphbqlea.exeBpidngil.exeDagiil32.exeDohmlp32.exeGjclbc32.exeHfljmdjc.exeLkiqbl32.exeLgpagm32.exeBbhqjchp.exePbpacfmj.exeAoeniefo.exeCpgqpe32.exeNjogjfoj.exeFbgbpihg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbifgkeh.dll" Oiagia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dephckaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll" Hjmoibog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibljoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiibkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giacca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoqenf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eofinnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoifcnid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbgkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqijj32.dll" Dadlclim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fomonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pihmjqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll" Hfjmgdlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjfcecp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clldogdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnielckg.dll" Plfiflen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbjbq32.dll" Baojaoke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpcmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfiflen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejmkpaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll" Giacca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll" Gmoliohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpaghf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmgdgjek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll" Gbcakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fomonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higjda32.dll" Ppgobjia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcopbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdjfcecp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpepcedo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phpfqmio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigpemda.dll" Chbedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehhgfdho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejlmkgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll" Hadkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" Mcpebmkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cimhckeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll" Ffjdqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpaghf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkbkamnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldlqlgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elccfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqaeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll" Icgqggce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ophbqlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpidngil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmige32.dll" Dagiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dohmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjclbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfljmdjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll" Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkiqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll" Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhenep.dll" Bbhqjchp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbpacfmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoeniefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpgqpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eofinnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll" Fbgbpihg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exeOilmnbpg.exeOkkjjnok.exeObdbgh32.exeOagbbdnb.exeOkmfpm32.exeOphbqlea.exeObgomgee.exeOiagia32.exeOpkoflco.exeOalknd32.exeOlapkmic.exePblhhg32.exePejddb32.exePldlqlgp.exePbndmf32.exePihmjqfj.exePlfiflen.exePbpacfmj.exePijjpp32.exePlifll32.exePngbhg32.exedescription pid process target process PID 772 wrote to memory of 2044 772 1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe Oilmnbpg.exe PID 772 wrote to memory of 2044 772 1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe Oilmnbpg.exe PID 772 wrote to memory of 2044 772 1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe Oilmnbpg.exe PID 2044 wrote to memory of 3508 2044 Oilmnbpg.exe Okkjjnok.exe PID 2044 wrote to memory of 3508 2044 Oilmnbpg.exe Okkjjnok.exe PID 2044 wrote to memory of 3508 2044 Oilmnbpg.exe Okkjjnok.exe PID 3508 wrote to memory of 4692 3508 Okkjjnok.exe Obdbgh32.exe PID 3508 wrote to memory of 4692 3508 Okkjjnok.exe Obdbgh32.exe PID 3508 wrote to memory of 4692 3508 Okkjjnok.exe Obdbgh32.exe PID 4692 wrote to memory of 1372 4692 Obdbgh32.exe Oagbbdnb.exe PID 4692 wrote to memory of 1372 4692 Obdbgh32.exe Oagbbdnb.exe PID 4692 wrote to memory of 1372 4692 Obdbgh32.exe Oagbbdnb.exe PID 1372 wrote to memory of 1160 1372 Oagbbdnb.exe Okmfpm32.exe PID 1372 wrote to memory of 1160 1372 Oagbbdnb.exe Okmfpm32.exe PID 1372 wrote to memory of 1160 1372 Oagbbdnb.exe Okmfpm32.exe PID 1160 wrote to memory of 1164 1160 Okmfpm32.exe Ophbqlea.exe PID 1160 wrote to memory of 1164 1160 Okmfpm32.exe Ophbqlea.exe PID 1160 wrote to memory of 1164 1160 Okmfpm32.exe Ophbqlea.exe PID 1164 wrote to memory of 2180 1164 Ophbqlea.exe Obgomgee.exe PID 1164 wrote to memory of 2180 1164 Ophbqlea.exe Obgomgee.exe PID 1164 wrote to memory of 2180 1164 Ophbqlea.exe Obgomgee.exe PID 2180 wrote to memory of 4988 2180 Obgomgee.exe Oiagia32.exe PID 2180 wrote to memory of 4988 2180 Obgomgee.exe Oiagia32.exe PID 2180 wrote to memory of 4988 2180 Obgomgee.exe Oiagia32.exe PID 4988 wrote to memory of 2144 4988 Oiagia32.exe Opkoflco.exe PID 4988 wrote to memory of 2144 4988 Oiagia32.exe Opkoflco.exe PID 4988 wrote to memory of 2144 4988 Oiagia32.exe Opkoflco.exe PID 2144 wrote to memory of 3732 2144 Opkoflco.exe Oalknd32.exe PID 2144 wrote to memory of 3732 2144 Opkoflco.exe Oalknd32.exe PID 2144 wrote to memory of 3732 2144 Opkoflco.exe Oalknd32.exe PID 3732 wrote to memory of 4788 3732 Oalknd32.exe Olapkmic.exe PID 3732 wrote to memory of 4788 3732 Oalknd32.exe Olapkmic.exe PID 3732 wrote to memory of 4788 3732 Oalknd32.exe Olapkmic.exe PID 4788 wrote to memory of 2792 4788 Olapkmic.exe Pblhhg32.exe PID 4788 wrote to memory of 2792 4788 Olapkmic.exe Pblhhg32.exe PID 4788 wrote to memory of 2792 4788 Olapkmic.exe Pblhhg32.exe PID 2792 wrote to memory of 4476 2792 Pblhhg32.exe Pejddb32.exe PID 2792 wrote to memory of 4476 2792 Pblhhg32.exe Pejddb32.exe PID 2792 wrote to memory of 4476 2792 Pblhhg32.exe Pejddb32.exe PID 4476 wrote to memory of 4472 4476 Pejddb32.exe Pldlqlgp.exe PID 4476 wrote to memory of 4472 4476 Pejddb32.exe Pldlqlgp.exe PID 4476 wrote to memory of 4472 4476 Pejddb32.exe Pldlqlgp.exe PID 4472 wrote to memory of 4436 4472 Pldlqlgp.exe Pbndmf32.exe PID 4472 wrote to memory of 4436 4472 Pldlqlgp.exe Pbndmf32.exe PID 4472 wrote to memory of 4436 4472 Pldlqlgp.exe Pbndmf32.exe PID 4436 wrote to memory of 4820 4436 Pbndmf32.exe Pihmjqfj.exe PID 4436 wrote to memory of 4820 4436 Pbndmf32.exe Pihmjqfj.exe PID 4436 wrote to memory of 4820 4436 Pbndmf32.exe Pihmjqfj.exe PID 4820 wrote to memory of 32 4820 Pihmjqfj.exe Plfiflen.exe PID 4820 wrote to memory of 32 4820 Pihmjqfj.exe Plfiflen.exe PID 4820 wrote to memory of 32 4820 Pihmjqfj.exe Plfiflen.exe PID 32 wrote to memory of 1388 32 Plfiflen.exe Pbpacfmj.exe PID 32 wrote to memory of 1388 32 Plfiflen.exe Pbpacfmj.exe PID 32 wrote to memory of 1388 32 Plfiflen.exe Pbpacfmj.exe PID 1388 wrote to memory of 1248 1388 Pbpacfmj.exe Pijjpp32.exe PID 1388 wrote to memory of 1248 1388 Pbpacfmj.exe Pijjpp32.exe PID 1388 wrote to memory of 1248 1388 Pbpacfmj.exe Pijjpp32.exe PID 1248 wrote to memory of 2820 1248 Pijjpp32.exe Plifll32.exe PID 1248 wrote to memory of 2820 1248 Pijjpp32.exe Plifll32.exe PID 1248 wrote to memory of 2820 1248 Pijjpp32.exe Plifll32.exe PID 2820 wrote to memory of 4768 2820 Plifll32.exe Pngbhg32.exe PID 2820 wrote to memory of 4768 2820 Plifll32.exe Pngbhg32.exe PID 2820 wrote to memory of 4768 2820 Plifll32.exe Pngbhg32.exe PID 4768 wrote to memory of 4012 4768 Pngbhg32.exe Paendb32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Oilmnbpg.exeC:\Windows\system32\Oilmnbpg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Okkjjnok.exeC:\Windows\system32\Okkjjnok.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Obdbgh32.exeC:\Windows\system32\Obdbgh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Oagbbdnb.exeC:\Windows\system32\Oagbbdnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Okmfpm32.exeC:\Windows\system32\Okmfpm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Ophbqlea.exeC:\Windows\system32\Ophbqlea.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Obgomgee.exeC:\Windows\system32\Obgomgee.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Oiagia32.exeC:\Windows\system32\Oiagia32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Opkoflco.exeC:\Windows\system32\Opkoflco.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Oalknd32.exeC:\Windows\system32\Oalknd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Olapkmic.exeC:\Windows\system32\Olapkmic.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Pblhhg32.exeC:\Windows\system32\Pblhhg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Pejddb32.exeC:\Windows\system32\Pejddb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Pldlqlgp.exeC:\Windows\system32\Pldlqlgp.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Pbndmf32.exeC:\Windows\system32\Pbndmf32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Pihmjqfj.exeC:\Windows\system32\Pihmjqfj.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Plfiflen.exeC:\Windows\system32\Plfiflen.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Pbpacfmj.exeC:\Windows\system32\Pbpacfmj.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Pijjpp32.exeC:\Windows\system32\Pijjpp32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Plifll32.exeC:\Windows\system32\Plifll32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Pngbhg32.exeC:\Windows\system32\Pngbhg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Paendb32.exeC:\Windows\system32\Paendb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Phpfqmio.exeC:\Windows\system32\Phpfqmio.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Ppgobjia.exeC:\Windows\system32\Ppgobjia.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Pbekne32.exeC:\Windows\system32\Pbekne32.exe26⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Piockppb.exeC:\Windows\system32\Piockppb.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Plmogkoe.exeC:\Windows\system32\Plmogkoe.exe28⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Qnlkcfni.exeC:\Windows\system32\Qnlkcfni.exe29⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Qefdpq32.exeC:\Windows\system32\Qefdpq32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Qlpllkmc.exeC:\Windows\system32\Qlpllkmc.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Qbjdiedp.exeC:\Windows\system32\Qbjdiedp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Qehqepcc.exeC:\Windows\system32\Qehqepcc.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4592 -
C:\Windows\SysWOW64\Albibj32.exeC:\Windows\system32\Albibj32.exe34⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Aoqenf32.exeC:\Windows\system32\Aoqenf32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4728 -
C:\Windows\SysWOW64\Aejmkpaq.exeC:\Windows\system32\Aejmkpaq.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Aifiko32.exeC:\Windows\system32\Aifiko32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Appahiag.exeC:\Windows\system32\Appahiag.exe39⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Aemjpp32.exeC:\Windows\system32\Aemjpp32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe42⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Apbnnh32.exeC:\Windows\system32\Apbnnh32.exe43⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Aoeniefo.exeC:\Windows\system32\Aoeniefo.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3604 -
C:\Windows\SysWOW64\Aikbfnfd.exeC:\Windows\system32\Aikbfnfd.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Aogkoedl.exeC:\Windows\system32\Aogkoedl.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe48⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Aeacko32.exeC:\Windows\system32\Aeacko32.exe49⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Ahppgjjl.exeC:\Windows\system32\Ahppgjjl.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Apggihko.exeC:\Windows\system32\Apggihko.exe51⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Aahdqp32.exeC:\Windows\system32\Aahdqp32.exe52⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe53⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Bpidngil.exeC:\Windows\system32\Bpidngil.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe57⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe58⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe59⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Bbjmpb32.exeC:\Windows\system32\Bbjmpb32.exe60⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe62⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe65⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe67⤵
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe68⤵PID:1212
-
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe69⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe70⤵PID:3684
-
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe71⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe72⤵PID:3416
-
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe73⤵PID:4784
-
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe74⤵PID:4184
-
C:\Windows\SysWOW64\Cimhckeo.exeC:\Windows\system32\Cimhckeo.exe75⤵
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Clldogdc.exeC:\Windows\system32\Clldogdc.exe76⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3920 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe79⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe80⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe81⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe82⤵PID:2352
-
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe83⤵
- Drops file in System32 directory
PID:388 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe84⤵PID:4072
-
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe85⤵PID:4516
-
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe86⤵PID:3588
-
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe87⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe88⤵PID:4872
-
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe91⤵PID:3708
-
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe92⤵PID:4984
-
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4336 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4632 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe98⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:4164 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1128 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5124 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5168 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe103⤵PID:5216
-
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe104⤵PID:5260
-
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe105⤵PID:5304
-
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe106⤵PID:5348
-
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe107⤵PID:5392
-
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe108⤵PID:5436
-
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe109⤵PID:5480
-
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe110⤵PID:5520
-
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe111⤵PID:5560
-
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe112⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe115⤵PID:5728
-
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe116⤵
- Drops file in System32 directory
PID:5776 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5816 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5856 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe119⤵PID:5912
-
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe120⤵PID:5956
-
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6068 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe123⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe125⤵PID:5200
-
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe126⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe127⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe128⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe129⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe130⤵PID:5696
-
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe131⤵
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe133⤵PID:5948
-
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5984 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6080 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe136⤵
- Modifies registry class
PID:5204 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe137⤵
- Drops file in System32 directory
PID:5400 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe138⤵
- Drops file in System32 directory
PID:5504 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe139⤵PID:5668
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe140⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe141⤵
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe142⤵PID:6092
-
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe143⤵PID:5300
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe146⤵
- Drops file in System32 directory
PID:5996 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe148⤵
- Modifies registry class
PID:5592 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe149⤵PID:5892
-
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe150⤵PID:5600
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5924 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe153⤵
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe154⤵
- Modifies registry class
PID:6168 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6208 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6256 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe157⤵PID:6296
-
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe158⤵
- Modifies registry class
PID:6340 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe159⤵PID:6384
-
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe160⤵PID:6428
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe161⤵
- Modifies registry class
PID:6472 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe162⤵PID:6516
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe163⤵
- Modifies registry class
PID:6560 -
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe164⤵PID:6604
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe165⤵PID:6648
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe166⤵
- Modifies registry class
PID:6692 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe167⤵PID:6736
-
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe168⤵PID:6784
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6824 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe170⤵
- Modifies registry class
PID:6864 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe171⤵
- Drops file in System32 directory
PID:6908 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe172⤵
- Modifies registry class
PID:6948 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe173⤵PID:6992
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe174⤵PID:7028
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe175⤵PID:7072
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe176⤵PID:7116
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe177⤵
- Drops file in System32 directory
- Modifies registry class
PID:7160 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe178⤵PID:6192
-
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe179⤵
- Modifies registry class
PID:6252 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe180⤵PID:6332
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe181⤵PID:6392
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe182⤵PID:6460
-
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe183⤵PID:6512
-
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe184⤵PID:6580
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe185⤵
- Modifies registry class
PID:6656 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe186⤵
- Drops file in System32 directory
PID:6712 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6776 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe188⤵PID:6852
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6960 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe190⤵PID:6984
-
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe191⤵
- Drops file in System32 directory
PID:7084 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe192⤵
- Drops file in System32 directory
PID:7112 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe193⤵PID:7096
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe194⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe195⤵PID:6248
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6376 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe197⤵PID:6528
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe198⤵
- Drops file in System32 directory
PID:6688 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe199⤵
- Modifies registry class
PID:6800 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe200⤵PID:6780
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe201⤵PID:7004
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe203⤵PID:7156
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe204⤵
- Modifies registry class
PID:6272 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe205⤵
- Modifies registry class
PID:6508 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe206⤵PID:6684
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe207⤵PID:6876
-
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe208⤵PID:6976
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe209⤵PID:7140
-
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe210⤵PID:6328
-
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe211⤵PID:6676
-
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe212⤵PID:7000
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe213⤵PID:6244
-
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6568 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe215⤵PID:1628
-
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe216⤵PID:6164
-
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe217⤵
- Drops file in System32 directory
PID:6316 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe218⤵PID:4284
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe219⤵
- Drops file in System32 directory
- Modifies registry class
PID:7192 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe220⤵
- Drops file in System32 directory
- Modifies registry class
PID:7236 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe221⤵
- Drops file in System32 directory
PID:7276 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe222⤵PID:7320
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe223⤵
- Modifies registry class
PID:7356 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe224⤵PID:7404
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7448 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7488 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7532 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe228⤵PID:7576
-
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe229⤵PID:7620
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7664 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe231⤵PID:7708
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7752 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe233⤵
- Drops file in System32 directory
PID:7796 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7840 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe235⤵PID:7884
-
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe236⤵
- Modifies registry class
PID:7928 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe237⤵
- Modifies registry class
PID:7968 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8016 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8056 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe240⤵PID:8100
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe241⤵PID:8144
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe242⤵
- Drops file in System32 directory
PID:8188