Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 02:47
Behavioral task
behavioral1
Sample
285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
285f1a518c2d7c90194f226cff209430
-
SHA1
8cbcea5293a94e527187a897b57bd69855dcca38
-
SHA256
cefc1b65105fae9933ce0835819fda29821b57ce23f533330e4cb082a2a7161d
-
SHA512
8bdf1d9fc3f59deda0dffc2978cc3f8f34d041333ef5882ca250de5dd921990e2bd6bc68b7a7ab7f2246a0a0ef0b40aad69e690aa17d18869bf29a990ad65699
-
SSDEEP
6144:NrYmCAU9CXdPipmMH/gysNkvC8vA+XTv7FYUwMOFusQ+kJ3StWbHPdBnec:NrACXwpnsKvNA+XTvZHWuEo3oWbvrec
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jnmlhchd.exeOaiibg32.exeCbgjqo32.exeMigpeiag.exeFjgoce32.exeOqmmpd32.exeMaedhd32.exeNofabc32.exeBingpmnl.exeJcbellac.exeLabkdack.exeMieeibkn.exeBkdmcdoe.exeEeqdep32.exeGbnccfpb.exeBiicik32.exeHbhomd32.exeEjgcdb32.exeNmbknddp.exeAjgpbj32.exeBfpnmj32.exeAfcenm32.exeDjhphncm.exeEeempocb.exeFdapak32.exeKcbakpdo.exeAbphal32.exeMbpnanch.exeIheddndj.exeCoelaaoi.exeFmpkjkma.exeFglipi32.exeMdacop32.exeFfbicfoc.exeGpqpjj32.exeAgfgqo32.exeBhajdblk.exePeiljl32.exeFhffaj32.exeFmmkcoap.exeQmlgonbe.exeIdfbkq32.exePamiog32.exeImfqjbli.exeQpgpkcpp.exeOfdcjm32.exeLldlqakb.exeNocnbmoo.exeGohjaf32.exeKgpjanje.exeLlkbap32.exeAipddi32.exeBpleef32.exeGdjpeifj.exeBkodhe32.exeKaceodek.exeOkgnab32.exeKconkibf.exeOdeiibdq.exeModkfi32.exeGmgdddmq.exeLjffag32.exeBphbeplm.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaiibg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgjqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migpeiag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqmmpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bingpmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labkdack.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mieeibkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdmcdoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbknddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfpnmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcbakpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abphal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iheddndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglipi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdacop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfgqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiljl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmmkcoap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfbkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgpjanje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpleef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjpeifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaceodek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odeiibdq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bphbeplm.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Lkkmdn32.exe family_berbew behavioral1/memory/2372-6-0x00000000002D0000-0x0000000000311000-memory.dmp family_berbew \Windows\SysWOW64\Lipjejgp.exe family_berbew behavioral1/memory/2204-26-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Meigpkka.exe family_berbew behavioral1/memory/2204-33-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2672-45-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Migpeiag.exe family_berbew behavioral1/memory/2472-53-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Mnkbdlbd.exe family_berbew behavioral1/memory/2472-60-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2488-67-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nplkfgoe.exe family_berbew behavioral1/memory/2464-81-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2488-80-0x0000000001FA0000-0x0000000001FE1000-memory.dmp family_berbew \Windows\SysWOW64\Nnbhek32.exe family_berbew behavioral1/memory/2756-94-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Nofabc32.exe family_berbew behavioral1/memory/1448-107-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1912-120-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nohnhc32.exe family_berbew \Windows\SysWOW64\Ofdcjm32.exe family_berbew behavioral1/memory/1364-134-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1912-133-0x0000000000300000-0x0000000000341000-memory.dmp family_berbew \Windows\SysWOW64\Onphoo32.exe family_berbew behavioral1/memory/1364-141-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew C:\Windows\SysWOW64\Oqcnfjli.exe family_berbew behavioral1/memory/1676-159-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1148-161-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Paggai32.exe family_berbew behavioral1/memory/1148-168-0x00000000006C0000-0x0000000000701000-memory.dmp family_berbew behavioral1/memory/816-187-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Plahag32.exe family_berbew \Windows\SysWOW64\Peiljl32.exe family_berbew behavioral1/memory/608-200-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Qhmbagfa.exe family_berbew behavioral1/memory/1668-213-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1668-223-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew C:\Windows\SysWOW64\Qjmkcbcb.exe family_berbew behavioral1/memory/1984-228-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Qmlgonbe.exe family_berbew behavioral1/memory/448-233-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Aplpai32.exe family_berbew behavioral1/memory/448-242-0x0000000000350000-0x0000000000391000-memory.dmp family_berbew behavioral1/memory/1992-244-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ahchbf32.exe family_berbew behavioral1/memory/1568-255-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Abmibdlh.exe family_berbew behavioral1/memory/1996-269-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2044-276-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Apomfh32.exe family_berbew C:\Windows\SysWOW64\Aigaon32.exe family_berbew C:\Windows\SysWOW64\Abpfhcje.exe family_berbew behavioral1/memory/1944-290-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1632-300-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Aiinen32.exe family_berbew behavioral1/memory/2876-310-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Aepojo32.exe family_berbew behavioral1/memory/2364-318-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1736-329-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Bingpmnl.exe family_berbew C:\Windows\SysWOW64\Bkodhe32.exe family_berbew behavioral1/memory/2080-343-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Lkkmdn32.exeLipjejgp.exeMeigpkka.exeMigpeiag.exeMnkbdlbd.exeNplkfgoe.exeNnbhek32.exeNofabc32.exeNohnhc32.exeOfdcjm32.exeOnphoo32.exeOqcnfjli.exePaggai32.exePlahag32.exePeiljl32.exeQhmbagfa.exeQjmkcbcb.exeQmlgonbe.exeAplpai32.exeAhchbf32.exeApomfh32.exeAbmibdlh.exeAigaon32.exeAbpfhcje.exeAiinen32.exeAepojo32.exeBingpmnl.exeBkodhe32.exeBeehencq.exeBommnc32.exeBegeknan.exeBkdmcdoe.exeBdooajdc.exeCgmkmecg.exeCgpgce32.exeCjndop32.exeCphlljge.exeCjpqdp32.exeChcqpmep.exeClaifkkf.exeCopfbfjj.exeCdlnkmha.exeClcflkic.exeDhjgal32.exeDodonf32.exeDhmcfkme.exeDnilobkm.exeDdcdkl32.exeDmoipopd.exeDdeaalpg.exeDfgmhd32.exeDnneja32.exeDjefobmk.exeEihfjo32.exeEpaogi32.exeEjgcdb32.exeEmeopn32.exeEeqdep32.exeEmhlfmgj.exeEbedndfa.exeEiomkn32.exeEajaoq32.exeEeempocb.exeEjbfhfaj.exepid process 3016 Lkkmdn32.exe 2204 Lipjejgp.exe 2672 Meigpkka.exe 2472 Migpeiag.exe 2488 Mnkbdlbd.exe 2464 Nplkfgoe.exe 2756 Nnbhek32.exe 1448 Nofabc32.exe 1912 Nohnhc32.exe 1364 Ofdcjm32.exe 1676 Onphoo32.exe 1148 Oqcnfjli.exe 2960 Paggai32.exe 816 Plahag32.exe 608 Peiljl32.exe 1668 Qhmbagfa.exe 1984 Qjmkcbcb.exe 448 Qmlgonbe.exe 1992 Aplpai32.exe 1568 Ahchbf32.exe 1996 Apomfh32.exe 2044 Abmibdlh.exe 1944 Aigaon32.exe 1632 Abpfhcje.exe 2876 Aiinen32.exe 2364 Aepojo32.exe 1736 Bingpmnl.exe 2080 Bkodhe32.exe 3008 Beehencq.exe 2844 Bommnc32.exe 2624 Begeknan.exe 2732 Bkdmcdoe.exe 2632 Bdooajdc.exe 1756 Cgmkmecg.exe 2648 Cgpgce32.exe 1896 Cjndop32.exe 1680 Cphlljge.exe 2000 Cjpqdp32.exe 1844 Chcqpmep.exe 2560 Claifkkf.exe 540 Copfbfjj.exe 2320 Cdlnkmha.exe 2776 Clcflkic.exe 1544 Dhjgal32.exe 2680 Dodonf32.exe 1692 Dhmcfkme.exe 1136 Dnilobkm.exe 1584 Ddcdkl32.exe 2284 Dmoipopd.exe 240 Ddeaalpg.exe 1772 Dfgmhd32.exe 2544 Dnneja32.exe 2168 Djefobmk.exe 2656 Eihfjo32.exe 3024 Epaogi32.exe 2596 Ejgcdb32.exe 2496 Emeopn32.exe 2484 Eeqdep32.exe 2508 Emhlfmgj.exe 1908 Ebedndfa.exe 1640 Eiomkn32.exe 1684 Eajaoq32.exe 1132 Eeempocb.exe 1872 Ejbfhfaj.exe -
Loads dropped DLL 64 IoCs
Processes:
285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exeLkkmdn32.exeLipjejgp.exeMeigpkka.exeMigpeiag.exeMnkbdlbd.exeNplkfgoe.exeNnbhek32.exeNofabc32.exeNohnhc32.exeOfdcjm32.exeOnphoo32.exeOqcnfjli.exePaggai32.exePlahag32.exePeiljl32.exeQhmbagfa.exeQjmkcbcb.exeQmlgonbe.exeAplpai32.exeAhchbf32.exeApomfh32.exeAbmibdlh.exeAigaon32.exeAbpfhcje.exeAiinen32.exeAepojo32.exeBingpmnl.exeBkodhe32.exeBeehencq.exeBommnc32.exeBegeknan.exepid process 2372 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe 2372 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe 3016 Lkkmdn32.exe 3016 Lkkmdn32.exe 2204 Lipjejgp.exe 2204 Lipjejgp.exe 2672 Meigpkka.exe 2672 Meigpkka.exe 2472 Migpeiag.exe 2472 Migpeiag.exe 2488 Mnkbdlbd.exe 2488 Mnkbdlbd.exe 2464 Nplkfgoe.exe 2464 Nplkfgoe.exe 2756 Nnbhek32.exe 2756 Nnbhek32.exe 1448 Nofabc32.exe 1448 Nofabc32.exe 1912 Nohnhc32.exe 1912 Nohnhc32.exe 1364 Ofdcjm32.exe 1364 Ofdcjm32.exe 1676 Onphoo32.exe 1676 Onphoo32.exe 1148 Oqcnfjli.exe 1148 Oqcnfjli.exe 2960 Paggai32.exe 2960 Paggai32.exe 816 Plahag32.exe 816 Plahag32.exe 608 Peiljl32.exe 608 Peiljl32.exe 1668 Qhmbagfa.exe 1668 Qhmbagfa.exe 1984 Qjmkcbcb.exe 1984 Qjmkcbcb.exe 448 Qmlgonbe.exe 448 Qmlgonbe.exe 1992 Aplpai32.exe 1992 Aplpai32.exe 1568 Ahchbf32.exe 1568 Ahchbf32.exe 1996 Apomfh32.exe 1996 Apomfh32.exe 2044 Abmibdlh.exe 2044 Abmibdlh.exe 1944 Aigaon32.exe 1944 Aigaon32.exe 1632 Abpfhcje.exe 1632 Abpfhcje.exe 2876 Aiinen32.exe 2876 Aiinen32.exe 2364 Aepojo32.exe 2364 Aepojo32.exe 1736 Bingpmnl.exe 1736 Bingpmnl.exe 2080 Bkodhe32.exe 2080 Bkodhe32.exe 3008 Beehencq.exe 3008 Beehencq.exe 2844 Bommnc32.exe 2844 Bommnc32.exe 2624 Begeknan.exe 2624 Begeknan.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ncgdbmmp.exeNkiogn32.exeOoeggp32.exeAekodi32.exeEmkaol32.exeGmdadnkh.exeIheddndj.exeCjndop32.exeLibicbma.exeMaoajf32.exeQjnmlk32.exeLldlqakb.exeGmjaic32.exeMcbjgn32.exeOqmmpd32.exeBoqbfb32.exeIompkh32.exeJnicmdli.exeQbbhgi32.exe285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exeGmgdddmq.exeOikojfgk.exePefijfii.exeFagjnn32.exeIoaifhid.exeFcmgfkeg.exeBekkcljk.exeHdlhjl32.exeAniimjbo.exeAmcpie32.exeGelppaof.exeFebfomdd.exeGljnej32.exeJgcdki32.exeCgpjlnhh.exeNohnhc32.exeKgpjanje.exeQmfgjh32.exeIedkbc32.exeLgjfkk32.exeOkfgfl32.exeOqcpob32.exeGphmeo32.exeBjdplm32.exeIdmhkpml.exeKjljhjkl.exeAjhgmpfg.exeDlkepi32.exeOfdcjm32.exeAplifb32.exeCpkbdiqb.exePgbafl32.exePicnndmb.exePmccjbaf.exeAecaidjl.exeKaklpcoc.exeBjbcfn32.exeFfbicfoc.exePamiog32.exeEfcfga32.exedescription ioc process File created C:\Windows\SysWOW64\Mdqmicng.dll Ncgdbmmp.exe File opened for modification C:\Windows\SysWOW64\Nacgdhlp.exe Nkiogn32.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Ooeggp32.exe File created C:\Windows\SysWOW64\Ajhgmpfg.exe Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Efcfga32.exe Emkaol32.exe File opened for modification C:\Windows\SysWOW64\Gbaileio.exe Gmdadnkh.exe File opened for modification C:\Windows\SysWOW64\Ipllekdl.exe Iheddndj.exe File created C:\Windows\SysWOW64\Cphlljge.exe Cjndop32.exe File created C:\Windows\SysWOW64\Mpmapm32.exe Libicbma.exe File created C:\Windows\SysWOW64\Mbpnanch.exe Maoajf32.exe File created C:\Windows\SysWOW64\Aniimjbo.exe Qjnmlk32.exe File created C:\Windows\SysWOW64\Fbfqed32.dll Lldlqakb.exe File created C:\Windows\SysWOW64\Gphmeo32.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Mimbdhhb.exe Mcbjgn32.exe File opened for modification C:\Windows\SysWOW64\Oopnlacm.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Qpmnhglp.dll Boqbfb32.exe File opened for modification C:\Windows\SysWOW64\Iheddndj.exe Iompkh32.exe File created C:\Windows\SysWOW64\Jqgoiokm.exe Jnicmdli.exe File created C:\Windows\SysWOW64\Imjcfnhk.dll Qbbhgi32.exe File created C:\Windows\SysWOW64\Lkkmdn32.exe 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Oikojfgk.exe File created C:\Windows\SysWOW64\Pgeefbhm.exe Pefijfii.exe File created C:\Windows\SysWOW64\Pdmkonce.dll Fagjnn32.exe File opened for modification C:\Windows\SysWOW64\Icmegf32.exe Ioaifhid.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Bppoqeja.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Hmdmcanc.exe Hdlhjl32.exe File created C:\Windows\SysWOW64\Qqeicede.exe Qbbhgi32.exe File opened for modification C:\Windows\SysWOW64\Aecaidjl.exe Aniimjbo.exe File created C:\Windows\SysWOW64\Lfobiqka.dll Amcpie32.exe File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe Gelppaof.exe File created C:\Windows\SysWOW64\Fllnlg32.exe Febfomdd.exe File created C:\Windows\SysWOW64\Qbpbjelg.dll Gljnej32.exe File opened for modification C:\Windows\SysWOW64\Jnmlhchd.exe Jgcdki32.exe File created C:\Windows\SysWOW64\Ckpfcfnm.dll Cgpjlnhh.exe File created C:\Windows\SysWOW64\Ofdcjm32.exe Nohnhc32.exe File created C:\Windows\SysWOW64\Knjbnh32.exe Kgpjanje.exe File opened for modification C:\Windows\SysWOW64\Knjbnh32.exe Kgpjanje.exe File opened for modification C:\Windows\SysWOW64\Qpecfc32.exe Qmfgjh32.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Iedkbc32.exe File created C:\Windows\SysWOW64\Lmgocb32.exe Lgjfkk32.exe File created C:\Windows\SysWOW64\Jbbpnl32.dll Okfgfl32.exe File created C:\Windows\SysWOW64\Oepbgcpb.dll Oqcpob32.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gphmeo32.exe File created C:\Windows\SysWOW64\Boplllob.exe Bjdplm32.exe File created C:\Windows\SysWOW64\Goipbehm.dll Idmhkpml.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Kjljhjkl.exe File created C:\Windows\SysWOW64\Oglegn32.dll Ajhgmpfg.exe File created C:\Windows\SysWOW64\Dojald32.exe Dlkepi32.exe File created C:\Windows\SysWOW64\Lphhoacd.dll Ofdcjm32.exe File created C:\Windows\SysWOW64\Abjebn32.exe Aplifb32.exe File created C:\Windows\SysWOW64\Chbjffad.exe Cpkbdiqb.exe File opened for modification C:\Windows\SysWOW64\Picnndmb.exe Pgbafl32.exe File opened for modification C:\Windows\SysWOW64\Pqjfoa32.exe Picnndmb.exe File created C:\Windows\SysWOW64\Pkfceo32.exe Pmccjbaf.exe File created C:\Windows\SysWOW64\Ajpjakhc.exe Aecaidjl.exe File opened for modification C:\Windows\SysWOW64\Kfgdhjmk.exe Kaklpcoc.exe File opened for modification C:\Windows\SysWOW64\Mimbdhhb.exe Mcbjgn32.exe File created C:\Windows\SysWOW64\Efcfga32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Dhnook32.dll Bjbcfn32.exe File created C:\Windows\SysWOW64\Fiaeoang.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Peiepfgg.exe Pamiog32.exe File opened for modification C:\Windows\SysWOW64\Emnndlod.exe Efcfga32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4492 4856 WerFault.exe Ceegmj32.exe -
Modifies registry class 64 IoCs
Processes:
Magqncba.exePfbelipa.exeEjgcdb32.exeGicbeald.exeHmdmcanc.exeHpbiommg.exeIedkbc32.exeOoeggp32.exeMencccop.exeNpagjpcd.exeOohqqlei.exePicnndmb.exeAbmibdlh.exeFcmgfkeg.exeJonplmcb.exeFmpkjkma.exeFfhpbacb.exeFepiimfg.exeMeccii32.exeOnjgiiad.exeCaknol32.exeJfghif32.exeGbaileio.exeLfpclh32.exeOqcnfjli.exeQjmkcbcb.exeCadhnmnm.exeIoaifhid.exeLlohjo32.exeFhhcgj32.exePeiepfgg.exePpbfpd32.exeAhchbf32.exeDhmcfkme.exeJgfqaiod.exeOdeiibdq.exeHdfflm32.exeEfcfga32.exeMofglh32.exeAfkdakjb.exeAbbeflpf.exeCpceidcn.exeKaklpcoc.exeEhgppi32.exeHanlnp32.exeOkdkal32.exePiekcd32.exeGnmgmbhb.exeHkaglf32.exeNohnhc32.exeHkkalk32.exeMmfbogcn.exeNocnbmoo.exeQpgpkcpp.exeAbjebn32.exeHdlhjl32.exeJghmfhmb.exeMpmapm32.exeOcdmaj32.exeAecaidjl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfbelipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Gicbeald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmdmcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjlgm32.dll" Iedkbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ooeggp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" Npagjpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oohqqlei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffhpbacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onjgiiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdcc32.dll" Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbaileio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cadhnmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llohjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Peiepfgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppbfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahchbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" Odeiibdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll" Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll" Afkdakjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpceidcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ooeggp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gamgjj32.dll" Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll" Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" Piekcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgmpikn.dll" Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagbb32.dll" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccnnibig.dll" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edfpjabf.dll" Hdlhjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jghmfhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpmapm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocdmaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aecaidjl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exeLkkmdn32.exeLipjejgp.exeMeigpkka.exeMigpeiag.exeMnkbdlbd.exeNplkfgoe.exeNnbhek32.exeNofabc32.exeNohnhc32.exeOfdcjm32.exeOnphoo32.exeOqcnfjli.exePaggai32.exePlahag32.exePeiljl32.exedescription pid process target process PID 2372 wrote to memory of 3016 2372 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe Lkkmdn32.exe PID 2372 wrote to memory of 3016 2372 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe Lkkmdn32.exe PID 2372 wrote to memory of 3016 2372 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe Lkkmdn32.exe PID 2372 wrote to memory of 3016 2372 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe Lkkmdn32.exe PID 3016 wrote to memory of 2204 3016 Lkkmdn32.exe Lipjejgp.exe PID 3016 wrote to memory of 2204 3016 Lkkmdn32.exe Lipjejgp.exe PID 3016 wrote to memory of 2204 3016 Lkkmdn32.exe Lipjejgp.exe PID 3016 wrote to memory of 2204 3016 Lkkmdn32.exe Lipjejgp.exe PID 2204 wrote to memory of 2672 2204 Lipjejgp.exe Meigpkka.exe PID 2204 wrote to memory of 2672 2204 Lipjejgp.exe Meigpkka.exe PID 2204 wrote to memory of 2672 2204 Lipjejgp.exe Meigpkka.exe PID 2204 wrote to memory of 2672 2204 Lipjejgp.exe Meigpkka.exe PID 2672 wrote to memory of 2472 2672 Meigpkka.exe Migpeiag.exe PID 2672 wrote to memory of 2472 2672 Meigpkka.exe Migpeiag.exe PID 2672 wrote to memory of 2472 2672 Meigpkka.exe Migpeiag.exe PID 2672 wrote to memory of 2472 2672 Meigpkka.exe Migpeiag.exe PID 2472 wrote to memory of 2488 2472 Migpeiag.exe Mnkbdlbd.exe PID 2472 wrote to memory of 2488 2472 Migpeiag.exe Mnkbdlbd.exe PID 2472 wrote to memory of 2488 2472 Migpeiag.exe Mnkbdlbd.exe PID 2472 wrote to memory of 2488 2472 Migpeiag.exe Mnkbdlbd.exe PID 2488 wrote to memory of 2464 2488 Mnkbdlbd.exe Nplkfgoe.exe PID 2488 wrote to memory of 2464 2488 Mnkbdlbd.exe Nplkfgoe.exe PID 2488 wrote to memory of 2464 2488 Mnkbdlbd.exe Nplkfgoe.exe PID 2488 wrote to memory of 2464 2488 Mnkbdlbd.exe Nplkfgoe.exe PID 2464 wrote to memory of 2756 2464 Nplkfgoe.exe Nnbhek32.exe PID 2464 wrote to memory of 2756 2464 Nplkfgoe.exe Nnbhek32.exe PID 2464 wrote to memory of 2756 2464 Nplkfgoe.exe Nnbhek32.exe PID 2464 wrote to memory of 2756 2464 Nplkfgoe.exe Nnbhek32.exe PID 2756 wrote to memory of 1448 2756 Nnbhek32.exe Nofabc32.exe PID 2756 wrote to memory of 1448 2756 Nnbhek32.exe Nofabc32.exe PID 2756 wrote to memory of 1448 2756 Nnbhek32.exe Nofabc32.exe PID 2756 wrote to memory of 1448 2756 Nnbhek32.exe Nofabc32.exe PID 1448 wrote to memory of 1912 1448 Nofabc32.exe Nohnhc32.exe PID 1448 wrote to memory of 1912 1448 Nofabc32.exe Nohnhc32.exe PID 1448 wrote to memory of 1912 1448 Nofabc32.exe Nohnhc32.exe PID 1448 wrote to memory of 1912 1448 Nofabc32.exe Nohnhc32.exe PID 1912 wrote to memory of 1364 1912 Nohnhc32.exe Ofdcjm32.exe PID 1912 wrote to memory of 1364 1912 Nohnhc32.exe Ofdcjm32.exe PID 1912 wrote to memory of 1364 1912 Nohnhc32.exe Ofdcjm32.exe PID 1912 wrote to memory of 1364 1912 Nohnhc32.exe Ofdcjm32.exe PID 1364 wrote to memory of 1676 1364 Ofdcjm32.exe Onphoo32.exe PID 1364 wrote to memory of 1676 1364 Ofdcjm32.exe Onphoo32.exe PID 1364 wrote to memory of 1676 1364 Ofdcjm32.exe Onphoo32.exe PID 1364 wrote to memory of 1676 1364 Ofdcjm32.exe Onphoo32.exe PID 1676 wrote to memory of 1148 1676 Onphoo32.exe Oqcnfjli.exe PID 1676 wrote to memory of 1148 1676 Onphoo32.exe Oqcnfjli.exe PID 1676 wrote to memory of 1148 1676 Onphoo32.exe Oqcnfjli.exe PID 1676 wrote to memory of 1148 1676 Onphoo32.exe Oqcnfjli.exe PID 1148 wrote to memory of 2960 1148 Oqcnfjli.exe Paggai32.exe PID 1148 wrote to memory of 2960 1148 Oqcnfjli.exe Paggai32.exe PID 1148 wrote to memory of 2960 1148 Oqcnfjli.exe Paggai32.exe PID 1148 wrote to memory of 2960 1148 Oqcnfjli.exe Paggai32.exe PID 2960 wrote to memory of 816 2960 Paggai32.exe Plahag32.exe PID 2960 wrote to memory of 816 2960 Paggai32.exe Plahag32.exe PID 2960 wrote to memory of 816 2960 Paggai32.exe Plahag32.exe PID 2960 wrote to memory of 816 2960 Paggai32.exe Plahag32.exe PID 816 wrote to memory of 608 816 Plahag32.exe Peiljl32.exe PID 816 wrote to memory of 608 816 Plahag32.exe Peiljl32.exe PID 816 wrote to memory of 608 816 Plahag32.exe Peiljl32.exe PID 816 wrote to memory of 608 816 Plahag32.exe Peiljl32.exe PID 608 wrote to memory of 1668 608 Peiljl32.exe Qhmbagfa.exe PID 608 wrote to memory of 1668 608 Peiljl32.exe Qhmbagfa.exe PID 608 wrote to memory of 1668 608 Peiljl32.exe Qhmbagfa.exe PID 608 wrote to memory of 1668 608 Peiljl32.exe Qhmbagfa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe34⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe35⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe36⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe38⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe39⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe40⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe41⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe42⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe43⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe44⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe45⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe46⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe48⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe49⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe50⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe51⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe52⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe53⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe54⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe55⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe56⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe58⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe60⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe61⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe62⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe63⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe65⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe66⤵PID:1604
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe68⤵PID:1820
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe70⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe72⤵PID:2108
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe73⤵PID:2340
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe74⤵PID:2132
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe76⤵PID:2748
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe77⤵PID:2580
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe79⤵PID:2924
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe80⤵PID:2552
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe81⤵PID:2532
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe82⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe83⤵PID:2324
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe84⤵PID:2448
-
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1304 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe86⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe87⤵PID:2444
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe89⤵PID:1900
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe90⤵PID:1104
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe91⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe92⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe93⤵PID:2208
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe94⤵PID:2460
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe95⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe96⤵PID:864
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe97⤵PID:2952
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe98⤵PID:1836
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe99⤵PID:1200
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe100⤵PID:1348
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe101⤵PID:2308
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe102⤵PID:1048
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe103⤵PID:972
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe104⤵PID:1288
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe105⤵PID:2384
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe106⤵PID:2236
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe107⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe108⤵PID:2540
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe109⤵PID:2160
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1884 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe111⤵PID:2956
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe112⤵PID:2932
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe113⤵PID:1976
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe114⤵PID:1280
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe115⤵PID:1552
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe116⤵PID:988
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe118⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe119⤵PID:2744
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe120⤵PID:2628
-
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe122⤵PID:1128
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe123⤵PID:2176
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe124⤵PID:2432
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe125⤵PID:2344
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe126⤵PID:2428
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe127⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe128⤵PID:2820
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe129⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe130⤵PID:1924
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe131⤵PID:1672
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe132⤵PID:336
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:632 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe135⤵
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe137⤵PID:576
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe138⤵PID:2492
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe139⤵
- Drops file in System32 directory
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe140⤵PID:1184
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe142⤵PID:2712
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe143⤵PID:1792
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe144⤵PID:2064
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe145⤵PID:1940
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe147⤵PID:1068
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe148⤵PID:1808
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe149⤵PID:2984
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe150⤵PID:1620
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe151⤵PID:2604
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe152⤵PID:2880
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe153⤵PID:2888
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe154⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe156⤵PID:2040
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe157⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe158⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe159⤵PID:2620
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe160⤵PID:2180
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe161⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe162⤵PID:1860
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe163⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe164⤵PID:2824
-
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe165⤵PID:2548
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe166⤵PID:2644
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe167⤵PID:3052
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe169⤵PID:1432
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe170⤵PID:1328
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe171⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe172⤵PID:2572
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe173⤵PID:1728
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe174⤵PID:1100
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe175⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe176⤵PID:1464
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe177⤵PID:2060
-
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe178⤵PID:1720
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe179⤵PID:2752
-
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe181⤵PID:1828
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe182⤵PID:2188
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe184⤵PID:3068
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe185⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe186⤵
- Drops file in System32 directory
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe187⤵PID:900
-
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe188⤵PID:2660
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe189⤵PID:1424
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe190⤵PID:2684
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe191⤵PID:2564
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe192⤵
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe193⤵PID:3084
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3124 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe195⤵
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe196⤵PID:3204
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe197⤵PID:3244
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe198⤵
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe199⤵PID:3324
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe200⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe201⤵PID:3404
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe202⤵PID:3444
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3524 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe205⤵PID:3564
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3604 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe207⤵PID:3644
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe208⤵
- Drops file in System32 directory
PID:3684 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe209⤵
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe210⤵PID:3768
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe211⤵
- Drops file in System32 directory
PID:3808 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe212⤵
- Drops file in System32 directory
PID:3848 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe213⤵PID:3888
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe214⤵PID:3928
-
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe215⤵PID:3968
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe216⤵PID:4008
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe217⤵PID:4048
-
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe218⤵PID:4088
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe219⤵PID:3104
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe221⤵PID:3200
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe222⤵PID:3260
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe223⤵
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe224⤵
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe225⤵PID:3400
-
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe226⤵PID:3452
-
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3504 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3540 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe229⤵
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe230⤵PID:3628
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe231⤵PID:3700
-
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe232⤵PID:3736
-
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe233⤵PID:3796
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe234⤵
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe235⤵PID:3908
-
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe236⤵PID:3952
-
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe237⤵
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe238⤵PID:4056
-
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe239⤵PID:3076
-
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3136 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe241⤵PID:3188
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe242⤵PID:3172