Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:41
Behavioral task
behavioral1
Sample
e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe
-
Size
1024KB
-
MD5
e28e3a62a84ab774984dfc8e228410d0
-
SHA1
7c29394a6c8700165778ed94eb8c6cc3c7e7656b
-
SHA256
c343229d8b0fd3b2b06664b00f02e4f314670aefa26df44a574f8530d632e68c
-
SHA512
5d31e36de49756a4e5467d39c601994b36e7ee06a8e51cf794bc9ffd3536d6e3a518241d1de8a1f9a79903eb1f802e8de752d02e577dc8861ee72317954d7c2b
-
SSDEEP
24576:iJSnm0BmmvFimm0Xcr6VDsEqacjgqANXcolMZ5nNxvM0oL8v8WQ:iJSfiTWVDBzcjgBNXcolMZ5nNxvM0oLx
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbcbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjjea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiqpop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdilgpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcojjmea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiglkle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocnbmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnhnbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjnom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfgngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehkodcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecejkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhngjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlkiepd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgejac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkgfckcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oegbheiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocnfbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llnofpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kincipnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbidgeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfmffhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maedhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofdklgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhffaj32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000a00000001224e-5.dat family_berbew behavioral1/files/0x000800000001566b-19.dat family_berbew behavioral1/files/0x0007000000015cba-49.dat family_berbew behavioral1/files/0x0006000000015eaf-70.dat family_berbew behavioral1/files/0x0034000000015653-81.dat family_berbew behavioral1/files/0x0006000000016117-93.dat family_berbew behavioral1/files/0x000600000001630b-114.dat family_berbew behavioral1/files/0x0006000000016c4a-150.dat family_berbew behavioral1/files/0x0006000000016843-145.dat family_berbew behavioral1/files/0x0006000000016c6b-167.dat family_berbew behavioral1/files/0x0006000000016d3a-216.dat family_berbew behavioral1/files/0x0006000000016d90-229.dat family_berbew behavioral1/memory/2088-262-0x0000000000290000-0x00000000002C5000-memory.dmp family_berbew behavioral1/files/0x00060000000173d8-271.dat family_berbew behavioral1/files/0x0006000000017052-260.dat family_berbew behavioral1/files/0x0006000000016e94-249.dat family_berbew behavioral1/files/0x0006000000017456-282.dat family_berbew behavioral1/files/0x0006000000017556-301.dat family_berbew behavioral1/files/0x000500000001866b-312.dat family_berbew behavioral1/memory/1948-315-0x0000000000300000-0x0000000000335000-memory.dmp family_berbew behavioral1/files/0x0006000000018c1a-334.dat family_berbew behavioral1/files/0x00050000000191a7-357.dat family_berbew behavioral1/files/0x0005000000019241-387.dat family_berbew behavioral1/files/0x000500000001924d-398.dat family_berbew behavioral1/files/0x00050000000192ef-411.dat family_berbew behavioral1/files/0x000500000001934f-417.dat family_berbew behavioral1/files/0x000500000001937b-432.dat family_berbew behavioral1/files/0x0005000000019399-444.dat family_berbew behavioral1/files/0x000500000001941c-454.dat family_berbew behavioral1/files/0x0005000000019440-473.dat family_berbew behavioral1/files/0x00050000000194ad-494.dat family_berbew behavioral1/files/0x00050000000194e3-505.dat family_berbew behavioral1/files/0x0005000000019ae5-558.dat family_berbew behavioral1/files/0x0005000000019c5a-568.dat family_berbew behavioral1/files/0x0005000000019f2d-591.dat family_berbew behavioral1/files/0x0005000000019c93-580.dat family_berbew behavioral1/files/0x000500000001a03f-602.dat family_berbew behavioral1/files/0x000500000001a304-624.dat family_berbew behavioral1/files/0x000500000001a415-637.dat family_berbew behavioral1/files/0x000500000001a499-711.dat family_berbew behavioral1/files/0x000500000001a4b2-764.dat family_berbew behavioral1/files/0x000500000001a4a8-754.dat family_berbew behavioral1/files/0x000500000001a4b7-781.dat family_berbew behavioral1/files/0x000500000001a4bb-789.dat family_berbew behavioral1/files/0x000500000001a4c3-813.dat family_berbew behavioral1/files/0x000500000001a4c7-824.dat family_berbew behavioral1/files/0x000500000001a4cb-834.dat family_berbew behavioral1/files/0x000500000001a4cf-851.dat family_berbew behavioral1/files/0x000500000001a4d7-872.dat family_berbew behavioral1/files/0x000500000001a4db-888.dat family_berbew behavioral1/files/0x000500000001a4f9-918.dat family_berbew behavioral1/files/0x000500000001a574-933.dat family_berbew behavioral1/files/0x000500000001ad68-943.dat family_berbew behavioral1/files/0x000500000001c748-974.dat family_berbew behavioral1/files/0x000500000001c83a-1015.dat family_berbew behavioral1/files/0x000500000001c858-1067.dat family_berbew behavioral1/files/0x000500000001c85c-1081.dat family_berbew behavioral1/files/0x000500000001c864-1109.dat family_berbew behavioral1/files/0x000500000001c87c-1150.dat family_berbew behavioral1/files/0x000500000001c88f-1166.dat family_berbew behavioral1/files/0x000500000001c8a6-1193.dat family_berbew behavioral1/files/0x000500000001c8ab-1205.dat family_berbew behavioral1/files/0x000500000001c8ba-1243.dat family_berbew behavioral1/files/0x000500000001c8b4-1230.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1072 Dhjgal32.exe 1664 Ddcdkl32.exe 2648 Dnlidb32.exe 2748 Dfijnd32.exe 2560 Emcbkn32.exe 2468 Ebinic32.exe 2716 Fhffaj32.exe 2956 Fnpnndgp.exe 1736 Gonnhhln.exe 1868 Glaoalkh.exe 1192 Gopkmhjk.exe 1252 Gkihhhnm.exe 672 Gacpdbej.exe 776 Gdamqndn.exe 2860 Gkkemh32.exe 1108 Gaemjbcg.exe 1724 Hpapln32.exe 2088 Hacmcfge.exe 2068 Ifcbodli.exe 1392 Ikpjgkjq.exe 320 Jcbellac.exe 2268 Jfqahgpg.exe 1948 Jmjjea32.exe 1784 Jcdbbloa.exe 2884 Jehkodcm.exe 1076 Jicgpb32.exe 2156 Jkbcln32.exe 2572 Jbllihbf.exe 2752 Jifdebic.exe 2556 Jkdpanhg.exe 2596 Jnclnihj.exe 1508 Kcbakpdo.exe 2928 Kjljhjkl.exe 2480 Kngfih32.exe 2152 Kpkofpgq.exe 2492 Kfegbj32.exe 2708 Kaklpcoc.exe 1984 Lmcijcbe.exe 2688 Lpbefoai.exe 648 Lbqabkql.exe 2096 Lflmci32.exe 1084 Lijjoe32.exe 1956 Lhmjkaoc.exe 956 Lbcnhjnj.exe 2272 Leajdfnm.exe 1656 Lhpfqama.exe 2072 Lkncmmle.exe 1740 Lbeknj32.exe 436 Lecgje32.exe 2876 Lhbcfa32.exe 2608 Llnofpcg.exe 2836 Mhdplq32.exe 2552 Mggpgmof.exe 2348 Monhhk32.exe 1376 Mppepcfg.exe 884 Mhgmapfi.exe 2932 Mkeimlfm.exe 2916 Mmceigep.exe 2832 Maoajf32.exe 1356 Mdmmfa32.exe 2220 Mkgfckcj.exe 1600 Mlibjc32.exe 2380 Mdpjlajk.exe 1768 Mgnfhlin.exe -
Loads dropped DLL 64 IoCs
pid Process 3008 e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe 3008 e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe 1072 Dhjgal32.exe 1072 Dhjgal32.exe 1664 Ddcdkl32.exe 1664 Ddcdkl32.exe 2648 Dnlidb32.exe 2648 Dnlidb32.exe 2748 Dfijnd32.exe 2748 Dfijnd32.exe 2560 Emcbkn32.exe 2560 Emcbkn32.exe 2468 Ebinic32.exe 2468 Ebinic32.exe 2716 Fhffaj32.exe 2716 Fhffaj32.exe 2956 Fnpnndgp.exe 2956 Fnpnndgp.exe 1736 Gonnhhln.exe 1736 Gonnhhln.exe 1868 Glaoalkh.exe 1868 Glaoalkh.exe 1192 Gopkmhjk.exe 1192 Gopkmhjk.exe 1252 Gkihhhnm.exe 1252 Gkihhhnm.exe 672 Gacpdbej.exe 672 Gacpdbej.exe 776 Gdamqndn.exe 776 Gdamqndn.exe 2860 Gkkemh32.exe 2860 Gkkemh32.exe 1108 Gaemjbcg.exe 1108 Gaemjbcg.exe 1724 Hpapln32.exe 1724 Hpapln32.exe 2088 Hacmcfge.exe 2088 Hacmcfge.exe 2068 Ifcbodli.exe 2068 Ifcbodli.exe 1392 Ikpjgkjq.exe 1392 Ikpjgkjq.exe 320 Jcbellac.exe 320 Jcbellac.exe 2268 Jfqahgpg.exe 2268 Jfqahgpg.exe 1948 Jmjjea32.exe 1948 Jmjjea32.exe 1784 Jcdbbloa.exe 1784 Jcdbbloa.exe 2884 Jehkodcm.exe 2884 Jehkodcm.exe 1076 Jicgpb32.exe 1076 Jicgpb32.exe 2156 Jkbcln32.exe 2156 Jkbcln32.exe 2572 Jbllihbf.exe 2572 Jbllihbf.exe 2752 Jifdebic.exe 2752 Jifdebic.exe 2556 Jkdpanhg.exe 2556 Jkdpanhg.exe 2596 Jnclnihj.exe 2596 Jnclnihj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fibkpd32.dll Magqncba.exe File created C:\Windows\SysWOW64\Hoamnbaf.dll Kngfih32.exe File created C:\Windows\SysWOW64\Gdchio32.dll Maoajf32.exe File opened for modification C:\Windows\SysWOW64\Ecejkf32.exe Enhacojl.exe File opened for modification C:\Windows\SysWOW64\Ebjglbml.exe Eplkpgnh.exe File created C:\Windows\SysWOW64\Doojhgfa.dll Qijdocfj.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Bhhpeafc.exe File created C:\Windows\SysWOW64\Dfijnd32.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Cgcmfjnn.dll Dnlidb32.exe File created C:\Windows\SysWOW64\Oecbjjic.dll Fnpnndgp.exe File opened for modification C:\Windows\SysWOW64\Jcdbbloa.exe Jmjjea32.exe File opened for modification C:\Windows\SysWOW64\Mmldme32.exe Mdcpdp32.exe File created C:\Windows\SysWOW64\Cgejac32.exe Cnmehnan.exe File created C:\Windows\SysWOW64\Mnghjbjl.dll Cclkfdnc.exe File created C:\Windows\SysWOW64\Ghelfg32.exe Gdjpeifj.exe File opened for modification C:\Windows\SysWOW64\Npccpo32.exe Ngibaj32.exe File opened for modification C:\Windows\SysWOW64\Bbokmqie.exe Bppoqeja.exe File created C:\Windows\SysWOW64\Epfbghho.dll Gnmgmbhb.exe File created C:\Windows\SysWOW64\Ajcfjgdj.dll Oegbheiq.exe File opened for modification C:\Windows\SysWOW64\Ojcecjee.exe Ogeigofa.exe File opened for modification C:\Windows\SysWOW64\Picnndmb.exe Pjpnbg32.exe File opened for modification C:\Windows\SysWOW64\Qijdocfj.exe Qflhbhgg.exe File created C:\Windows\SysWOW64\Gcaciakh.dll Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Pgbhabjp.exe Piphee32.exe File created C:\Windows\SysWOW64\Igakgfpn.exe Icfofg32.exe File created C:\Windows\SysWOW64\Lnmfog32.dll Monhhk32.exe File created C:\Windows\SysWOW64\Alnqqd32.exe Qedhdjnh.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Ddigjkid.exe File created C:\Windows\SysWOW64\Jhngjmlo.exe Jofbag32.exe File created C:\Windows\SysWOW64\Kklpekno.exe Kincipnk.exe File created C:\Windows\SysWOW64\Ecfmdf32.dll Moanaiie.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Pbhmnkjf.exe File created C:\Windows\SysWOW64\Amqccfed.exe Ajpjakhc.exe File opened for modification C:\Windows\SysWOW64\Behgcf32.exe Bjbcfn32.exe File opened for modification C:\Windows\SysWOW64\Kjljhjkl.exe Kcbakpdo.exe File opened for modification C:\Windows\SysWOW64\Biicik32.exe Baakhm32.exe File opened for modification C:\Windows\SysWOW64\Oegbheiq.exe Odhfob32.exe File created C:\Windows\SysWOW64\Qodlkm32.exe Qgmdjp32.exe File opened for modification C:\Windows\SysWOW64\Biojif32.exe Bilmcf32.exe File created C:\Windows\SysWOW64\Ceamohhb.dll Nofdklgl.exe File created C:\Windows\SysWOW64\Chnqkg32.exe Ceodnl32.exe File opened for modification C:\Windows\SysWOW64\Enfenplo.exe Egllae32.exe File opened for modification C:\Windows\SysWOW64\Fnhnbb32.exe Fjmaaddo.exe File created C:\Windows\SysWOW64\Jkmcfhkc.exe Jhngjmlo.exe File created C:\Windows\SysWOW64\Alhmjbhj.exe Amcpie32.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Ddigjkid.exe File opened for modification C:\Windows\SysWOW64\Ogbknfbl.dll Kfbcbd32.exe File created C:\Windows\SysWOW64\Lmcmdd32.dll Odhfob32.exe File created C:\Windows\SysWOW64\Delpclld.dll Mkgfckcj.exe File created C:\Windows\SysWOW64\Bilmcf32.exe Aeqabgoj.exe File created C:\Windows\SysWOW64\Hjbpkign.dll Jcbellac.exe File created C:\Windows\SysWOW64\Nehmdhja.exe Ncjqhmkm.exe File opened for modification C:\Windows\SysWOW64\Fpqdkf32.exe Fekpnn32.exe File opened for modification C:\Windows\SysWOW64\Pcibkm32.exe Picnndmb.exe File opened for modification C:\Windows\SysWOW64\Abbeflpf.exe Alhmjbhj.exe File created C:\Windows\SysWOW64\Gdjpeifj.exe Gnmgmbhb.exe File created C:\Windows\SysWOW64\Kfmjgeaj.exe Jfknbe32.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Gdamqndn.exe File opened for modification C:\Windows\SysWOW64\Ocnfbo32.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Kfommp32.dll Pbhmnkjf.exe File created C:\Windows\SysWOW64\Edkcojga.exe Eqpgol32.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Eqpgol32.exe File created C:\Windows\SysWOW64\Odhfob32.exe Ookmfk32.exe File created C:\Windows\SysWOW64\Ocalkn32.exe Oqcpob32.exe -
Program crash 1 IoCs
pid pid_target Process 3932 3804 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll" Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjacko32.dll" Kfegbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcmafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oagcgibo.dll" Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odhfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll" Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejmebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkmcfhkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglhipbb.dll" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhfbach.dll" Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okoafmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoliecf.dll" Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifjqh32.dll" Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nncahjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmdoioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpdmj32.dll" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbnlj32.dll" Jifdebic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjifhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odjbdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblqijln.dll" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abhimnma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jghmfhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nofdklgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gonnhhln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbcnhjnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mggpgmof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfmhhoj.dll" Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfalhjp.dll" Kjdilgpc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 1072 3008 e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe 28 PID 3008 wrote to memory of 1072 3008 e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe 28 PID 3008 wrote to memory of 1072 3008 e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe 28 PID 3008 wrote to memory of 1072 3008 e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe 28 PID 1072 wrote to memory of 1664 1072 Dhjgal32.exe 29 PID 1072 wrote to memory of 1664 1072 Dhjgal32.exe 29 PID 1072 wrote to memory of 1664 1072 Dhjgal32.exe 29 PID 1072 wrote to memory of 1664 1072 Dhjgal32.exe 29 PID 1664 wrote to memory of 2648 1664 Ddcdkl32.exe 30 PID 1664 wrote to memory of 2648 1664 Ddcdkl32.exe 30 PID 1664 wrote to memory of 2648 1664 Ddcdkl32.exe 30 PID 1664 wrote to memory of 2648 1664 Ddcdkl32.exe 30 PID 2648 wrote to memory of 2748 2648 Dnlidb32.exe 31 PID 2648 wrote to memory of 2748 2648 Dnlidb32.exe 31 PID 2648 wrote to memory of 2748 2648 Dnlidb32.exe 31 PID 2648 wrote to memory of 2748 2648 Dnlidb32.exe 31 PID 2748 wrote to memory of 2560 2748 Dfijnd32.exe 32 PID 2748 wrote to memory of 2560 2748 Dfijnd32.exe 32 PID 2748 wrote to memory of 2560 2748 Dfijnd32.exe 32 PID 2748 wrote to memory of 2560 2748 Dfijnd32.exe 32 PID 2560 wrote to memory of 2468 2560 Emcbkn32.exe 33 PID 2560 wrote to memory of 2468 2560 Emcbkn32.exe 33 PID 2560 wrote to memory of 2468 2560 Emcbkn32.exe 33 PID 2560 wrote to memory of 2468 2560 Emcbkn32.exe 33 PID 2468 wrote to memory of 2716 2468 Ebinic32.exe 34 PID 2468 wrote to memory of 2716 2468 Ebinic32.exe 34 PID 2468 wrote to memory of 2716 2468 Ebinic32.exe 34 PID 2468 wrote to memory of 2716 2468 Ebinic32.exe 34 PID 2716 wrote to memory of 2956 2716 Fhffaj32.exe 35 PID 2716 wrote to memory of 2956 2716 Fhffaj32.exe 35 PID 2716 wrote to memory of 2956 2716 Fhffaj32.exe 35 PID 2716 wrote to memory of 2956 2716 Fhffaj32.exe 35 PID 2956 wrote to memory of 1736 2956 Fnpnndgp.exe 36 PID 2956 wrote to memory of 1736 2956 Fnpnndgp.exe 36 PID 2956 wrote to memory of 1736 2956 Fnpnndgp.exe 36 PID 2956 wrote to memory of 1736 2956 Fnpnndgp.exe 36 PID 1736 wrote to memory of 1868 1736 Gonnhhln.exe 37 PID 1736 wrote to memory of 1868 1736 Gonnhhln.exe 37 PID 1736 wrote to memory of 1868 1736 Gonnhhln.exe 37 PID 1736 wrote to memory of 1868 1736 Gonnhhln.exe 37 PID 1868 wrote to memory of 1192 1868 Glaoalkh.exe 38 PID 1868 wrote to memory of 1192 1868 Glaoalkh.exe 38 PID 1868 wrote to memory of 1192 1868 Glaoalkh.exe 38 PID 1868 wrote to memory of 1192 1868 Glaoalkh.exe 38 PID 1192 wrote to memory of 1252 1192 Gopkmhjk.exe 39 PID 1192 wrote to memory of 1252 1192 Gopkmhjk.exe 39 PID 1192 wrote to memory of 1252 1192 Gopkmhjk.exe 39 PID 1192 wrote to memory of 1252 1192 Gopkmhjk.exe 39 PID 1252 wrote to memory of 672 1252 Gkihhhnm.exe 40 PID 1252 wrote to memory of 672 1252 Gkihhhnm.exe 40 PID 1252 wrote to memory of 672 1252 Gkihhhnm.exe 40 PID 1252 wrote to memory of 672 1252 Gkihhhnm.exe 40 PID 672 wrote to memory of 776 672 Gacpdbej.exe 41 PID 672 wrote to memory of 776 672 Gacpdbej.exe 41 PID 672 wrote to memory of 776 672 Gacpdbej.exe 41 PID 672 wrote to memory of 776 672 Gacpdbej.exe 41 PID 776 wrote to memory of 2860 776 Gdamqndn.exe 42 PID 776 wrote to memory of 2860 776 Gdamqndn.exe 42 PID 776 wrote to memory of 2860 776 Gdamqndn.exe 42 PID 776 wrote to memory of 2860 776 Gdamqndn.exe 42 PID 2860 wrote to memory of 1108 2860 Gkkemh32.exe 43 PID 2860 wrote to memory of 1108 2860 Gkkemh32.exe 43 PID 2860 wrote to memory of 1108 2860 Gkkemh32.exe 43 PID 2860 wrote to memory of 1108 2860 Gkkemh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e28e3a62a84ab774984dfc8e228410d0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe34⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe39⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe40⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe41⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe42⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe47⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe49⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe50⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe51⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe53⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe59⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe61⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe63⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe64⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe65⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe66⤵PID:376
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe67⤵PID:2476
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe68⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe70⤵PID:1588
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe71⤵PID:3068
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe72⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe73⤵PID:1708
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe76⤵PID:2668
-
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe77⤵PID:1144
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe78⤵PID:544
-
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe79⤵PID:836
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe80⤵PID:2908
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe81⤵PID:2984
-
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe82⤵PID:1672
-
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe83⤵PID:2568
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe84⤵PID:2188
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe85⤵
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe86⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe87⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe88⤵PID:1912
-
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe91⤵PID:1616
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe93⤵PID:2372
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe94⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe95⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe96⤵PID:2012
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe97⤵PID:1340
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe98⤵PID:2256
-
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe100⤵PID:2488
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe101⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe102⤵PID:1308
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe103⤵PID:1256
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe104⤵PID:2248
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe105⤵PID:580
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe106⤵PID:1932
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe108⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe110⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe111⤵PID:2940
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe112⤵PID:2412
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe113⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe114⤵PID:1696
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe115⤵PID:2804
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe117⤵PID:2976
-
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe119⤵PID:2092
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe120⤵PID:2520
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe121⤵PID:3012
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe122⤵PID:1092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-