Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 02:44
Behavioral task
behavioral1
Sample
27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe
-
Size
276KB
-
MD5
27dccc3e0fcc7ff0894aedc26d315170
-
SHA1
b777fafd1d17190547afe227dbc68fa34015fd87
-
SHA256
e17548baaeab7c6ef5484cce3c0c50605a81647cd39d72246efbf4f96bd3494f
-
SHA512
96a81a9a2c833a3184ca0a9e9517b047d99d10281eba18384f517601e1492eb192388af9a53513e81e966989b45053b0a9eb9b5cfd3db14e880d476fca4e775e
-
SSDEEP
6144:lHjBHyvlwqwptRIJsdWZHEFJ7aWN1rtMsQBOSGaF+:lHjxRIo2HEGWN1RMs1S7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hldlga32.exeHnhgha32.exeJibnop32.exeQboikm32.exeJoblkegc.exeKpgdnp32.exeLlbqfe32.exeFpkchm32.exeMbginomj.exeFcgaae32.exeJocalffk.exeBdcifi32.exeBnapnm32.exeIdohdhbo.exeFheoiqgi.exeOkijhmcm.exeLomidgkl.exeFfaaoh32.exeHmkeke32.exeLkgngb32.exeOnnnml32.exeJclnnmic.exeLlpaha32.exeLdihjo32.exeMjaddn32.exeBafhff32.exeNepach32.exeJjbbpmgo.exeGmidlmcd.exeJljeeqfn.exeKoddccaa.exeAjmhljip.exeFbmfkkbm.exeLkbmbl32.exeBfcodkcb.exeOnamle32.exeAahimb32.exeKnohpo32.exeMdjihgef.exeJahbmlil.exeOomjng32.exeHbboiknb.exeOdanqb32.exeCegbce32.exeAchjibcl.exeLaqojfli.exeAhpddmia.exeNlefjpid.exeFgdnnl32.exeNipdkieg.exeIohbjpkb.exeJneoojeb.exeCooddbfh.exeFhcjilcb.exeMikjpiim.exeDnefhpma.exeJajocl32.exeNlldmimi.exeLjpnch32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnhgha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qboikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joblkegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkchm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbginomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcgaae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocalffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jocalffk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idohdhbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fheoiqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okijhmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jclnnmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldihjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafhff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jljeeqfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmhljip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbmfkkbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbmbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onamle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahimb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knohpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdjihgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jahbmlil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbboiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odanqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegbce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laqojfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahpddmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefjpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nipdkieg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohbjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jneoojeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cooddbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhcjilcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnefhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jajocl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlldmimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljpnch32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Pnopldgn.exe family_berbew \Windows\SysWOW64\Qglmpi32.exe family_berbew \Windows\SysWOW64\Amnocpdk.exe family_berbew \Windows\SysWOW64\Anahqh32.exe family_berbew \Windows\SysWOW64\Akhfoldn.exe family_berbew C:\Windows\SysWOW64\Bccjdnbi.exe family_berbew C:\Windows\SysWOW64\Bfccei32.exe family_berbew C:\Windows\SysWOW64\Bbjdjjdn.exe family_berbew \Windows\SysWOW64\Cjmopkla.exe family_berbew C:\Windows\SysWOW64\Chqoipkk.exe family_berbew behavioral1/memory/2680-142-0x0000000000450000-0x0000000000492000-memory.dmp family_berbew \Windows\SysWOW64\Dbojdmcd.exe family_berbew \Windows\SysWOW64\Dllhhaep.exe family_berbew \Windows\SysWOW64\Eamilh32.exe family_berbew \Windows\SysWOW64\Eapfagno.exe family_berbew \Windows\SysWOW64\Fffefjmi.exe family_berbew C:\Windows\SysWOW64\Fbmfkkbm.exe family_berbew C:\Windows\SysWOW64\Fnipkkdl.exe family_berbew behavioral1/memory/1196-244-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Gnkmqkbi.exe family_berbew C:\Windows\SysWOW64\Gegabegc.exe family_berbew C:\Windows\SysWOW64\Ihmpobck.exe family_berbew C:\Windows\SysWOW64\Ilofhffj.exe family_berbew behavioral1/memory/1980-288-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Ieigfk32.exe family_berbew C:\Windows\SysWOW64\Jhjphfgi.exe family_berbew C:\Windows\SysWOW64\Jdaqmg32.exe family_berbew C:\Windows\SysWOW64\Jpjngh32.exe family_berbew C:\Windows\SysWOW64\Jjbbpmgo.exe family_berbew C:\Windows\SysWOW64\Kfkpknkq.exe family_berbew C:\Windows\SysWOW64\Koddccaa.exe family_berbew C:\Windows\SysWOW64\Kbgjkn32.exe family_berbew C:\Windows\SysWOW64\Kdhcli32.exe family_berbew C:\Windows\SysWOW64\Ljghjpfe.exe family_berbew behavioral1/memory/2688-409-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Ldllgiek.exe family_berbew C:\Windows\SysWOW64\Lmgalkcf.exe family_berbew C:\Windows\SysWOW64\Lgoboc32.exe family_berbew C:\Windows\SysWOW64\Lcfbdd32.exe family_berbew C:\Windows\SysWOW64\Mmogmjmn.exe family_berbew C:\Windows\SysWOW64\Mbkpeake.exe family_berbew C:\Windows\SysWOW64\Mmadbjkk.exe family_berbew C:\Windows\SysWOW64\Mpopnejo.exe family_berbew C:\Windows\SysWOW64\Mgjebg32.exe family_berbew C:\Windows\SysWOW64\Macilmnk.exe family_berbew C:\Windows\SysWOW64\Mjkndb32.exe family_berbew C:\Windows\SysWOW64\Maefamlh.exe family_berbew C:\Windows\SysWOW64\Mjnjjbbh.exe family_berbew C:\Windows\SysWOW64\Ncfoch32.exe family_berbew C:\Windows\SysWOW64\Nnkcpq32.exe family_berbew C:\Windows\SysWOW64\Nfghdcfj.exe family_berbew C:\Windows\SysWOW64\Npolmh32.exe family_berbew C:\Windows\SysWOW64\Nigafnck.exe family_berbew C:\Windows\SysWOW64\Ndmecgba.exe family_berbew C:\Windows\SysWOW64\Nmejllia.exe family_berbew C:\Windows\SysWOW64\Nbbbdcgi.exe family_berbew C:\Windows\SysWOW64\Oiljam32.exe family_berbew C:\Windows\SysWOW64\Ooicid32.exe family_berbew C:\Windows\SysWOW64\Ohagbj32.exe family_berbew C:\Windows\SysWOW64\Odhhgkib.exe family_berbew C:\Windows\SysWOW64\Omqlpp32.exe family_berbew C:\Windows\SysWOW64\Oehdan32.exe family_berbew C:\Windows\SysWOW64\Oanefo32.exe family_berbew C:\Windows\SysWOW64\Ohhmcinf.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Pnopldgn.exeQglmpi32.exeAmnocpdk.exeAnahqh32.exeAkhfoldn.exeBccjdnbi.exeBfccei32.exeBbjdjjdn.exeCjmopkla.exeChqoipkk.exeDbojdmcd.exeDllhhaep.exeEamilh32.exeEapfagno.exeFffefjmi.exeFbmfkkbm.exeFnipkkdl.exeGnkmqkbi.exeGegabegc.exeIhmpobck.exeIlofhffj.exeIeigfk32.exeJhjphfgi.exeJdaqmg32.exeJpjngh32.exeJjbbpmgo.exeKfkpknkq.exeKoddccaa.exeKbgjkn32.exeKdhcli32.exeLjghjpfe.exeLdllgiek.exeLmgalkcf.exeLgoboc32.exeLcfbdd32.exeMmogmjmn.exeMbkpeake.exeMmadbjkk.exeMpopnejo.exeMgjebg32.exeMacilmnk.exeMjkndb32.exeMaefamlh.exeMjnjjbbh.exeNcfoch32.exeNnkcpq32.exeNfghdcfj.exeNpolmh32.exeNigafnck.exeNdmecgba.exeNmejllia.exeNbbbdcgi.exeOiljam32.exeOoicid32.exeOhagbj32.exeOdhhgkib.exeOmqlpp32.exeOehdan32.exeOanefo32.exeOhhmcinf.exeOaqbln32.exePgnjde32.exePilfpqaa.exePpfomk32.exepid process 2632 Pnopldgn.exe 2496 Qglmpi32.exe 3064 Amnocpdk.exe 2468 Anahqh32.exe 2488 Akhfoldn.exe 2620 Bccjdnbi.exe 1492 Bfccei32.exe 1760 Bbjdjjdn.exe 2680 Cjmopkla.exe 2040 Chqoipkk.exe 1196 Dbojdmcd.exe 1556 Dllhhaep.exe 880 Eamilh32.exe 2444 Eapfagno.exe 2724 Fffefjmi.exe 528 Fbmfkkbm.exe 2148 Fnipkkdl.exe 1836 Gnkmqkbi.exe 1632 Gegabegc.exe 1980 Ihmpobck.exe 2304 Ilofhffj.exe 2940 Ieigfk32.exe 2416 Jhjphfgi.exe 2196 Jdaqmg32.exe 2840 Jpjngh32.exe 2224 Jjbbpmgo.exe 2688 Kfkpknkq.exe 2564 Koddccaa.exe 2876 Kbgjkn32.exe 2664 Kdhcli32.exe 2392 Ljghjpfe.exe 2412 Ldllgiek.exe 2156 Lmgalkcf.exe 2640 Lgoboc32.exe 2388 Lcfbdd32.exe 3020 Mmogmjmn.exe 1132 Mbkpeake.exe 1968 Mmadbjkk.exe 1092 Mpopnejo.exe 932 Mgjebg32.exe 2024 Macilmnk.exe 324 Mjkndb32.exe 2860 Maefamlh.exe 436 Mjnjjbbh.exe 964 Ncfoch32.exe 488 Nnkcpq32.exe 1872 Nfghdcfj.exe 888 Npolmh32.exe 2760 Nigafnck.exe 1636 Ndmecgba.exe 2652 Nmejllia.exe 1596 Nbbbdcgi.exe 2440 Oiljam32.exe 2556 Ooicid32.exe 2708 Ohagbj32.exe 2604 Odhhgkib.exe 2344 Omqlpp32.exe 332 Oehdan32.exe 2472 Oanefo32.exe 756 Ohhmcinf.exe 1672 Oaqbln32.exe 2000 Pgnjde32.exe 2152 Pilfpqaa.exe 1820 Ppfomk32.exe -
Loads dropped DLL 64 IoCs
Processes:
27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exePnopldgn.exeQglmpi32.exeAmnocpdk.exeAnahqh32.exeAkhfoldn.exeBccjdnbi.exeBfccei32.exeBbjdjjdn.exeCjmopkla.exeChqoipkk.exeDbojdmcd.exeDllhhaep.exeEamilh32.exeEapfagno.exeFffefjmi.exeFbmfkkbm.exeFnipkkdl.exeGnkmqkbi.exeGegabegc.exeIhmpobck.exeIlofhffj.exeIeigfk32.exeJhjphfgi.exeJdaqmg32.exeJpjngh32.exeJjbbpmgo.exeKfkpknkq.exeKoddccaa.exeKbgjkn32.exeKdhcli32.exeLjghjpfe.exepid process 1664 27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe 1664 27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe 2632 Pnopldgn.exe 2632 Pnopldgn.exe 2496 Qglmpi32.exe 2496 Qglmpi32.exe 3064 Amnocpdk.exe 3064 Amnocpdk.exe 2468 Anahqh32.exe 2468 Anahqh32.exe 2488 Akhfoldn.exe 2488 Akhfoldn.exe 2620 Bccjdnbi.exe 2620 Bccjdnbi.exe 1492 Bfccei32.exe 1492 Bfccei32.exe 1760 Bbjdjjdn.exe 1760 Bbjdjjdn.exe 2680 Cjmopkla.exe 2680 Cjmopkla.exe 2040 Chqoipkk.exe 2040 Chqoipkk.exe 1196 Dbojdmcd.exe 1196 Dbojdmcd.exe 1556 Dllhhaep.exe 1556 Dllhhaep.exe 880 Eamilh32.exe 880 Eamilh32.exe 2444 Eapfagno.exe 2444 Eapfagno.exe 2724 Fffefjmi.exe 2724 Fffefjmi.exe 528 Fbmfkkbm.exe 528 Fbmfkkbm.exe 2148 Fnipkkdl.exe 2148 Fnipkkdl.exe 1836 Gnkmqkbi.exe 1836 Gnkmqkbi.exe 1632 Gegabegc.exe 1632 Gegabegc.exe 1980 Ihmpobck.exe 1980 Ihmpobck.exe 2304 Ilofhffj.exe 2304 Ilofhffj.exe 2940 Ieigfk32.exe 2940 Ieigfk32.exe 2416 Jhjphfgi.exe 2416 Jhjphfgi.exe 2196 Jdaqmg32.exe 2196 Jdaqmg32.exe 2840 Jpjngh32.exe 2840 Jpjngh32.exe 2224 Jjbbpmgo.exe 2224 Jjbbpmgo.exe 2688 Kfkpknkq.exe 2688 Kfkpknkq.exe 2564 Koddccaa.exe 2564 Koddccaa.exe 2876 Kbgjkn32.exe 2876 Kbgjkn32.exe 2664 Kdhcli32.exe 2664 Kdhcli32.exe 2392 Ljghjpfe.exe 2392 Ljghjpfe.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ainkcf32.exeCbbomjnn.exeIjfqfj32.exeCooddbfh.exePccdqloh.exeJdobjgqg.exeLbbnjgik.exeElejqm32.exeIefchacp.exeBnmjgkpo.exeCmdcngbd.exeHnjbeh32.exeJmnqje32.exeBolcma32.exeQmpplh32.exeHgobpd32.exeFapeic32.exeBomlppdb.exeLekjal32.exeCbajme32.exeDbojdmcd.exeLklikj32.exeQmepanje.exeAnmnhhmd.exeMikjpiim.exeBccmmf32.exeJhmofo32.exeLegaoehg.exeNmmjjk32.exeNdmecgba.exeIfgpnmom.exeEpeekmjk.exeDgnhhq32.exeEhaaei32.exeEocieq32.exeGfhgpg32.exeDnefhpma.exeJahbmlil.exeLoofjg32.exeAndjgidl.exeLclicpkm.exeDilapopb.exeKhgkpl32.exeHoipnl32.exeEoblnd32.exeJclnnmic.exeLehfafgp.exeHjmmcgha.exeKbppdfmk.exePaafmp32.exeNldcagaq.exeKdhcli32.exeIimfld32.exeIgeddb32.exeOjomdoof.exeKcdlhj32.exeHnhgha32.exeOpekenmh.exeJjbbpmgo.exedescription ioc process File created C:\Windows\SysWOW64\Olcdph32.dll Ainkcf32.exe File created C:\Windows\SysWOW64\Lkcbkhnk.dll Cbbomjnn.exe File created C:\Windows\SysWOW64\Ipqicdim.exe Ijfqfj32.exe File created C:\Windows\SysWOW64\Mbiamkii.dll Cooddbfh.exe File opened for modification C:\Windows\SysWOW64\Ppgdjqna.exe Pccdqloh.exe File created C:\Windows\SysWOW64\Jilkbn32.exe Jdobjgqg.exe File opened for modification C:\Windows\SysWOW64\Pobgjhgh.exe File opened for modification C:\Windows\SysWOW64\Lilfgq32.exe Lbbnjgik.exe File created C:\Windows\SysWOW64\Ecobmg32.exe Elejqm32.exe File created C:\Windows\SysWOW64\Hbddhc32.dll Iefchacp.exe File created C:\Windows\SysWOW64\Dedcbj32.dll Bnmjgkpo.exe File created C:\Windows\SysWOW64\Fbhekc32.dll Cmdcngbd.exe File created C:\Windows\SysWOW64\Fohlogok.dll Hnjbeh32.exe File created C:\Windows\SysWOW64\Jfgebjnm.exe Jmnqje32.exe File created C:\Windows\SysWOW64\Bdhleh32.exe Bolcma32.exe File opened for modification C:\Windows\SysWOW64\Qifpqi32.exe Qmpplh32.exe File opened for modification C:\Windows\SysWOW64\Hpjgdf32.exe Hgobpd32.exe File opened for modification C:\Windows\SysWOW64\Nfncad32.exe File opened for modification C:\Windows\SysWOW64\Fodebh32.exe Fapeic32.exe File created C:\Windows\SysWOW64\Pklmdamd.dll Bomlppdb.exe File created C:\Windows\SysWOW64\Lmbabj32.exe Lekjal32.exe File created C:\Windows\SysWOW64\Cdqfgh32.exe Cbajme32.exe File opened for modification C:\Windows\SysWOW64\Dllhhaep.exe Dbojdmcd.exe File created C:\Windows\SysWOW64\Gielfcfg.dll Lklikj32.exe File created C:\Windows\SysWOW64\Phjflgea.dll Qmepanje.exe File opened for modification C:\Windows\SysWOW64\Acjfpokk.exe Anmnhhmd.exe File created C:\Windows\SysWOW64\Gnfnae32.dll Mikjpiim.exe File created C:\Windows\SysWOW64\Bdcifi32.exe Bccmmf32.exe File opened for modification C:\Windows\SysWOW64\Jeqopcld.exe Jhmofo32.exe File created C:\Windows\SysWOW64\Dnhgdb32.dll Legaoehg.exe File opened for modification C:\Windows\SysWOW64\Ngencpel.exe Nmmjjk32.exe File created C:\Windows\SysWOW64\Nmejllia.exe Ndmecgba.exe File created C:\Windows\SysWOW64\Ejebfdmb.dll Ifgpnmom.exe File opened for modification C:\Windows\SysWOW64\Egonhf32.exe Epeekmjk.exe File created C:\Windows\SysWOW64\Boajohpm.dll Dgnhhq32.exe File created C:\Windows\SysWOW64\Cneqpc32.dll Ehaaei32.exe File created C:\Windows\SysWOW64\Pbenfb32.dll Eocieq32.exe File created C:\Windows\SysWOW64\Gkephn32.exe Gfhgpg32.exe File opened for modification C:\Windows\SysWOW64\Dlifadkk.exe Dnefhpma.exe File created C:\Windows\SysWOW64\Jajocl32.exe Jahbmlil.exe File created C:\Windows\SysWOW64\Lfingaaf.exe Loofjg32.exe File created C:\Windows\SysWOW64\Phmogdkh.dll Andjgidl.exe File created C:\Windows\SysWOW64\Qpceaipi.dll Lclicpkm.exe File created C:\Windows\SysWOW64\Ddaemh32.exe Dilapopb.exe File created C:\Windows\SysWOW64\Caefjg32.dll Khgkpl32.exe File opened for modification C:\Windows\SysWOW64\Holldk32.exe Hoipnl32.exe File created C:\Windows\SysWOW64\Mifnodlj.dll Eoblnd32.exe File created C:\Windows\SysWOW64\Jneoojeb.exe Jclnnmic.exe File created C:\Windows\SysWOW64\Adlqbf32.dll Lehfafgp.exe File created C:\Windows\SysWOW64\Gijllcml.dll Hjmmcgha.exe File created C:\Windows\SysWOW64\Kjkehhjf.exe Kbppdfmk.exe File created C:\Windows\SysWOW64\Qielqc32.dll File created C:\Windows\SysWOW64\Jgknok32.dll File opened for modification C:\Windows\SysWOW64\Pjjkfe32.exe Paafmp32.exe File created C:\Windows\SysWOW64\Olgpff32.exe Nldcagaq.exe File created C:\Windows\SysWOW64\Ljghjpfe.exe Kdhcli32.exe File created C:\Windows\SysWOW64\Iahkpg32.exe Iimfld32.exe File opened for modification C:\Windows\SysWOW64\Ibkhak32.exe Igeddb32.exe File created C:\Windows\SysWOW64\Kmdlca32.dll Ojomdoof.exe File opened for modification C:\Windows\SysWOW64\Khadpa32.exe Kcdlhj32.exe File created C:\Windows\SysWOW64\Aijpfppe.dll Hnhgha32.exe File created C:\Windows\SysWOW64\Dbhnfkfh.dll Opekenmh.exe File opened for modification C:\Windows\SysWOW64\Ajjeld32.exe File opened for modification C:\Windows\SysWOW64\Kfkpknkq.exe Jjbbpmgo.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 4580 3752 -
Modifies registry class 64 IoCs
Processes:
Gbhbdi32.exeHldlga32.exeBcoffd32.exeOhbmppia.exeFebjmj32.exeBobleeef.exeLdihjo32.exeOgbgbn32.exeFacdgl32.exeQanolm32.exeNeohqicc.exeLjjjmeie.exeLcdhgn32.exeQnpeijla.exePilfpqaa.exePohhna32.exeAjpepm32.exeJdogldmo.exeIecohl32.exeLdllgiek.exeAacmij32.exePqjhjf32.exeBhdjno32.exeHhnnnbaj.exeLhpkoo32.exeDncibp32.exeFhbpkh32.exePeedka32.exeQngopb32.exeGfcopl32.exeHgjieedg.exeMacilmnk.exeLbojjq32.exeDabfjp32.exeQdhqpe32.exeFapeic32.exeJhjbqo32.exeKjlgaa32.exePoibmdmh.exeOmdbdb32.exeHpmdjf32.exeGconbj32.exeDahkok32.exeCjbmll32.exeEldbkbop.exeKheaoj32.exeAnahqh32.exeNndemg32.exeIfengpdh.exeGbmlkl32.exeEjiadgkl.exeApgagg32.exeNepokogo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhack32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongkdd32.dll" Hldlga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcoffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohbmppia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Febjmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfdhfiq.dll" Bobleeef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldihjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgflpn32.dll" Ogbgbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Facdgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgielf32.dll" Qanolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll" Neohqicc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmegi32.dll" Ljjjmeie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplnekmg.dll" Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnpeijla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqdlookk.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoqijad.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pohhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enkfnp32.dll" Iecohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdojinhb.dll" Ldllgiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbhcoif.dll" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqjhjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhdjno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhnnnbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pamibjoj.dll" Lhpkoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjdjiqp.dll" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleijpbj.dll" Peedka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfcopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcoffd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgjieedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfahiebp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llpenogi.dll" Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhihab32.dll" Lbojjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dabfjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdhqpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fapeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhjbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjlgaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poibmdmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omdbdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpmdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dahkok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjbmll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhllnk32.dll" Hhnnnbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobjghoh.dll" Kheaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anahqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbnach32.dll" Nndemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgipo32.dll" Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colojben.dll" Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljkodkb.dll" Ejiadgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjbkefk.dll" Nepokogo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exePnopldgn.exeQglmpi32.exeAmnocpdk.exeAnahqh32.exeAkhfoldn.exeBccjdnbi.exeBfccei32.exeBbjdjjdn.exeCjmopkla.exeChqoipkk.exeDbojdmcd.exeDllhhaep.exeEamilh32.exeEapfagno.exeFffefjmi.exedescription pid process target process PID 1664 wrote to memory of 2632 1664 27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe Pnopldgn.exe PID 1664 wrote to memory of 2632 1664 27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe Pnopldgn.exe PID 1664 wrote to memory of 2632 1664 27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe Pnopldgn.exe PID 1664 wrote to memory of 2632 1664 27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe Pnopldgn.exe PID 2632 wrote to memory of 2496 2632 Pnopldgn.exe Qglmpi32.exe PID 2632 wrote to memory of 2496 2632 Pnopldgn.exe Qglmpi32.exe PID 2632 wrote to memory of 2496 2632 Pnopldgn.exe Qglmpi32.exe PID 2632 wrote to memory of 2496 2632 Pnopldgn.exe Qglmpi32.exe PID 2496 wrote to memory of 3064 2496 Qglmpi32.exe Amnocpdk.exe PID 2496 wrote to memory of 3064 2496 Qglmpi32.exe Amnocpdk.exe PID 2496 wrote to memory of 3064 2496 Qglmpi32.exe Amnocpdk.exe PID 2496 wrote to memory of 3064 2496 Qglmpi32.exe Amnocpdk.exe PID 3064 wrote to memory of 2468 3064 Amnocpdk.exe Anahqh32.exe PID 3064 wrote to memory of 2468 3064 Amnocpdk.exe Anahqh32.exe PID 3064 wrote to memory of 2468 3064 Amnocpdk.exe Anahqh32.exe PID 3064 wrote to memory of 2468 3064 Amnocpdk.exe Anahqh32.exe PID 2468 wrote to memory of 2488 2468 Anahqh32.exe Akhfoldn.exe PID 2468 wrote to memory of 2488 2468 Anahqh32.exe Akhfoldn.exe PID 2468 wrote to memory of 2488 2468 Anahqh32.exe Akhfoldn.exe PID 2468 wrote to memory of 2488 2468 Anahqh32.exe Akhfoldn.exe PID 2488 wrote to memory of 2620 2488 Akhfoldn.exe Bccjdnbi.exe PID 2488 wrote to memory of 2620 2488 Akhfoldn.exe Bccjdnbi.exe PID 2488 wrote to memory of 2620 2488 Akhfoldn.exe Bccjdnbi.exe PID 2488 wrote to memory of 2620 2488 Akhfoldn.exe Bccjdnbi.exe PID 2620 wrote to memory of 1492 2620 Bccjdnbi.exe Bfccei32.exe PID 2620 wrote to memory of 1492 2620 Bccjdnbi.exe Bfccei32.exe PID 2620 wrote to memory of 1492 2620 Bccjdnbi.exe Bfccei32.exe PID 2620 wrote to memory of 1492 2620 Bccjdnbi.exe Bfccei32.exe PID 1492 wrote to memory of 1760 1492 Bfccei32.exe Bbjdjjdn.exe PID 1492 wrote to memory of 1760 1492 Bfccei32.exe Bbjdjjdn.exe PID 1492 wrote to memory of 1760 1492 Bfccei32.exe Bbjdjjdn.exe PID 1492 wrote to memory of 1760 1492 Bfccei32.exe Bbjdjjdn.exe PID 1760 wrote to memory of 2680 1760 Bbjdjjdn.exe Cjmopkla.exe PID 1760 wrote to memory of 2680 1760 Bbjdjjdn.exe Cjmopkla.exe PID 1760 wrote to memory of 2680 1760 Bbjdjjdn.exe Cjmopkla.exe PID 1760 wrote to memory of 2680 1760 Bbjdjjdn.exe Cjmopkla.exe PID 2680 wrote to memory of 2040 2680 Cjmopkla.exe Chqoipkk.exe PID 2680 wrote to memory of 2040 2680 Cjmopkla.exe Chqoipkk.exe PID 2680 wrote to memory of 2040 2680 Cjmopkla.exe Chqoipkk.exe PID 2680 wrote to memory of 2040 2680 Cjmopkla.exe Chqoipkk.exe PID 2040 wrote to memory of 1196 2040 Chqoipkk.exe Dbojdmcd.exe PID 2040 wrote to memory of 1196 2040 Chqoipkk.exe Dbojdmcd.exe PID 2040 wrote to memory of 1196 2040 Chqoipkk.exe Dbojdmcd.exe PID 2040 wrote to memory of 1196 2040 Chqoipkk.exe Dbojdmcd.exe PID 1196 wrote to memory of 1556 1196 Dbojdmcd.exe Dllhhaep.exe PID 1196 wrote to memory of 1556 1196 Dbojdmcd.exe Dllhhaep.exe PID 1196 wrote to memory of 1556 1196 Dbojdmcd.exe Dllhhaep.exe PID 1196 wrote to memory of 1556 1196 Dbojdmcd.exe Dllhhaep.exe PID 1556 wrote to memory of 880 1556 Dllhhaep.exe Eamilh32.exe PID 1556 wrote to memory of 880 1556 Dllhhaep.exe Eamilh32.exe PID 1556 wrote to memory of 880 1556 Dllhhaep.exe Eamilh32.exe PID 1556 wrote to memory of 880 1556 Dllhhaep.exe Eamilh32.exe PID 880 wrote to memory of 2444 880 Eamilh32.exe Eapfagno.exe PID 880 wrote to memory of 2444 880 Eamilh32.exe Eapfagno.exe PID 880 wrote to memory of 2444 880 Eamilh32.exe Eapfagno.exe PID 880 wrote to memory of 2444 880 Eamilh32.exe Eapfagno.exe PID 2444 wrote to memory of 2724 2444 Eapfagno.exe Fffefjmi.exe PID 2444 wrote to memory of 2724 2444 Eapfagno.exe Fffefjmi.exe PID 2444 wrote to memory of 2724 2444 Eapfagno.exe Fffefjmi.exe PID 2444 wrote to memory of 2724 2444 Eapfagno.exe Fffefjmi.exe PID 2724 wrote to memory of 528 2724 Fffefjmi.exe Fbmfkkbm.exe PID 2724 wrote to memory of 528 2724 Fffefjmi.exe Fbmfkkbm.exe PID 2724 wrote to memory of 528 2724 Fffefjmi.exe Fbmfkkbm.exe PID 2724 wrote to memory of 528 2724 Fffefjmi.exe Fbmfkkbm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:528 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe34⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe35⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe36⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe37⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe38⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe39⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe40⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe41⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe43⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe44⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe45⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe46⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe47⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe48⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe49⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe50⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe52⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe53⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe54⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe55⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe57⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe58⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe59⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe60⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe61⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe62⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe63⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe65⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe66⤵PID:848
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe67⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe68⤵PID:1552
-
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe69⤵PID:2252
-
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe70⤵PID:372
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe71⤵PID:2248
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe72⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe73⤵PID:744
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe74⤵PID:2256
-
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe75⤵PID:860
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe76⤵PID:876
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe77⤵PID:1604
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe78⤵PID:2580
-
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe79⤵PID:2476
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe80⤵PID:2160
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe81⤵PID:2396
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe82⤵PID:1864
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe83⤵PID:536
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe84⤵PID:1856
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe85⤵PID:832
-
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe86⤵PID:2164
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe87⤵PID:1252
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe88⤵PID:2076
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe89⤵PID:2736
-
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe90⤵PID:2864
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe91⤵PID:3008
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe92⤵PID:1308
-
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe93⤵PID:1984
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe94⤵PID:748
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe95⤵PID:1708
-
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe96⤵PID:3056
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe97⤵PID:2296
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe98⤵PID:2532
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe100⤵PID:2828
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe101⤵PID:2340
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe102⤵PID:1100
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe103⤵PID:2988
-
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe105⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe106⤵PID:936
-
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe107⤵PID:1676
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe108⤵
- Drops file in System32 directory
PID:664 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe109⤵PID:2892
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe110⤵PID:1788
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe111⤵PID:2908
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe112⤵PID:1076
-
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe114⤵PID:1580
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe115⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe116⤵PID:2612
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe117⤵PID:2780
-
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe118⤵PID:2804
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe120⤵PID:1084
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe121⤵PID:1164
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe122⤵PID:1344
-
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe123⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe124⤵PID:2980
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe125⤵PID:1868
-
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe126⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe127⤵PID:2740
-
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe128⤵PID:864
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe129⤵PID:2544
-
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe130⤵PID:2204
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe131⤵PID:1876
-
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe132⤵PID:2020
-
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe133⤵PID:684
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe134⤵PID:824
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe135⤵PID:916
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe136⤵PID:2728
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe137⤵PID:2844
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe138⤵PID:1148
-
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe139⤵PID:1612
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe141⤵
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2320 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe143⤵PID:2712
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe144⤵PID:2776
-
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe145⤵PID:2832
-
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe146⤵PID:2676
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1192 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe148⤵PID:1948
-
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe149⤵PID:1680
-
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe150⤵PID:644
-
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe151⤵PID:340
-
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe153⤵PID:2096
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe154⤵PID:1504
-
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe155⤵PID:1920
-
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe157⤵PID:1652
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe158⤵PID:1812
-
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe159⤵PID:2072
-
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe160⤵PID:2848
-
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe161⤵PID:1800
-
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe162⤵PID:2912
-
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe163⤵PID:1352
-
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe164⤵PID:2668
-
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe165⤵PID:1508
-
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe166⤵PID:1228
-
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe167⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe168⤵PID:2692
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe169⤵PID:2752
-
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe170⤵PID:1288
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe171⤵PID:2704
-
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe172⤵PID:1324
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe173⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe174⤵PID:1728
-
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe175⤵PID:2004
-
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe176⤵PID:1992
-
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe177⤵PID:3024
-
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe178⤵PID:1852
-
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe179⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe180⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe182⤵PID:2372
-
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe183⤵PID:2968
-
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe184⤵PID:2636
-
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe185⤵PID:2592
-
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe186⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe188⤵PID:2696
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe189⤵PID:2792
-
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe190⤵PID:2456
-
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe191⤵PID:2812
-
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe192⤵PID:2292
-
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe193⤵PID:1700
-
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe194⤵PID:1536
-
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe195⤵PID:2504
-
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe196⤵PID:3116
-
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe197⤵PID:3160
-
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe198⤵
- Drops file in System32 directory
PID:3220 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe199⤵PID:3264
-
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe200⤵PID:3304
-
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe201⤵PID:3344
-
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe202⤵PID:3388
-
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe203⤵PID:3428
-
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe204⤵PID:3468
-
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe205⤵
- Drops file in System32 directory
PID:3508 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe206⤵
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe207⤵PID:3588
-
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe208⤵PID:3628
-
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe209⤵PID:3668
-
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe210⤵PID:3708
-
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe211⤵PID:3748
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe212⤵
- Drops file in System32 directory
- Modifies registry class
PID:3788 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe213⤵PID:3828
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe214⤵PID:3868
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe215⤵PID:3912
-
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe216⤵PID:3952
-
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe217⤵PID:3992
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe218⤵PID:4032
-
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe219⤵PID:4072
-
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe220⤵
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe221⤵PID:3148
-
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe222⤵PID:3212
-
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe223⤵PID:3272
-
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe224⤵PID:3280
-
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe225⤵PID:3376
-
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe226⤵PID:3420
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe227⤵PID:3476
-
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe228⤵PID:3528
-
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe229⤵PID:3580
-
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe230⤵PID:3620
-
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe231⤵PID:3640
-
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe232⤵PID:3724
-
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe233⤵PID:3772
-
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe234⤵PID:3816
-
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe235⤵PID:3856
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe236⤵
- Modifies registry class
PID:3928 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe237⤵
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe238⤵PID:4024
-
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe239⤵PID:4044
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe240⤵PID:3112
-
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe241⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe242⤵PID:3248