Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:12
Behavioral task
behavioral1
Sample
5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe
-
Size
208KB
-
MD5
5700b73a2474bdd6fe1c694b63aa0c30
-
SHA1
4d25946e284b356849741e3e130c2dd4edb23ed7
-
SHA256
058df09f2489264cf22803e7a6ab314b68377b911779e0d53fdea91dda3ca334
-
SHA512
f4f88ada69e17b5cdb6fba773d217223c79e763d11bc1bf58add6016896bed0cf9a02b6b90399a1e016bf417ac56d38a2acab9284b8cbd5403d2d7a296fb5934
-
SSDEEP
6144:BBPkgHDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55KmC:BcChtMtkM71r1MSXqPix55Kx
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpicle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafnopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmejllia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehdan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oniebmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnapnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acfmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhonjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmmlgik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaqmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbbpmgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmbek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Diidjpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegpjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljghjpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnjofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccjoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lonpma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nallalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeaiime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhcafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joggci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaecod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peedka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amcbankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daofpchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibacbcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqlebf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhejnc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x00050000000195a2-291.dat family_berbew behavioral1/files/0x000500000001959c-282.dat family_berbew behavioral1/files/0x0005000000019547-269.dat family_berbew behavioral1/files/0x00050000000195a8-314.dat family_berbew behavioral1/files/0x00050000000196d8-348.dat family_berbew behavioral1/files/0x00050000000195ff-334.dat family_berbew behavioral1/files/0x0005000000019bd6-356.dat family_berbew behavioral1/files/0x0005000000019d4d-389.dat family_berbew behavioral1/files/0x000500000001a00c-411.dat family_berbew behavioral1/memory/1972-437-0x0000000000440000-0x0000000000476000-memory.dmp family_berbew behavioral1/files/0x000500000001a3c5-445.dat family_berbew behavioral1/memory/2992-454-0x00000000001B0000-0x00000000001E6000-memory.dmp family_berbew behavioral1/files/0x000500000001a42b-479.dat family_berbew behavioral1/files/0x000500000001a40b-468.dat family_berbew behavioral1/files/0x000500000001a3cd-456.dat family_berbew behavioral1/files/0x000500000001a31e-434.dat family_berbew behavioral1/files/0x000500000001a432-489.dat family_berbew behavioral1/files/0x000500000001a441-504.dat family_berbew behavioral1/files/0x000500000001a445-513.dat family_berbew behavioral1/files/0x000500000001a449-523.dat family_berbew behavioral1/files/0x000500000001a44d-532.dat family_berbew behavioral1/files/0x000500000001a459-567.dat family_berbew behavioral1/files/0x000500000001a45d-578.dat family_berbew behavioral1/files/0x000500000001a461-588.dat family_berbew behavioral1/files/0x000500000001a465-599.dat family_berbew behavioral1/files/0x000500000001a46a-610.dat family_berbew behavioral1/files/0x000500000001a46e-620.dat family_berbew behavioral1/files/0x000500000001a472-632.dat family_berbew behavioral1/files/0x000500000001a477-643.dat family_berbew behavioral1/files/0x000500000001a47b-653.dat family_berbew behavioral1/files/0x000500000001a483-664.dat family_berbew behavioral1/files/0x000500000001a488-674.dat family_berbew behavioral1/files/0x000500000001a4b0-686.dat family_berbew behavioral1/files/0x000500000001c652-720.dat family_berbew behavioral1/files/0x000500000001c6f9-733.dat family_berbew behavioral1/files/0x000500000001c721-743.dat family_berbew behavioral1/files/0x000500000001c82b-758.dat family_berbew behavioral1/files/0x000500000001c82f-773.dat family_berbew behavioral1/files/0x000500000001c834-784.dat family_berbew behavioral1/files/0x000500000001c839-797.dat family_berbew behavioral1/files/0x000500000001c841-822.dat family_berbew behavioral1/files/0x000500000001c845-836.dat family_berbew behavioral1/files/0x000500000001c84d-860.dat family_berbew behavioral1/files/0x000500000001c851-874.dat family_berbew behavioral1/files/0x000500000001c855-886.dat family_berbew behavioral1/files/0x000500000001c85a-898.dat family_berbew behavioral1/files/0x000400000001c8e2-938.dat family_berbew behavioral1/files/0x000400000001c8ed-960.dat family_berbew behavioral1/files/0x000400000001c905-1015.dat family_berbew behavioral1/files/0x000400000001c90c-1026.dat family_berbew behavioral1/files/0x000400000001c990-1050.dat family_berbew behavioral1/files/0x000400000001cad7-1081.dat family_berbew behavioral1/files/0x000400000001cb0d-1115.dat family_berbew behavioral1/files/0x000400000001cb30-1148.dat family_berbew behavioral1/files/0x000400000001cb4b-1170.dat family_berbew behavioral1/files/0x000400000001cb90-1219.dat family_berbew behavioral1/files/0x000400000001cb97-1244.dat family_berbew behavioral1/files/0x000400000001cb9f-1270.dat family_berbew behavioral1/files/0x000400000001cbb0-1284.dat family_berbew behavioral1/files/0x000400000001cbc5-1301.dat family_berbew behavioral1/files/0x000400000001cc15-1316.dat family_berbew behavioral1/files/0x000400000001cc23-1354.dat family_berbew behavioral1/files/0x000400000001cc27-1366.dat family_berbew behavioral1/files/0x000400000001cc2c-1380.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2096 Ecfldoph.exe 2992 Eqjmncna.exe 2604 Foafdoag.exe 2556 Fmegncpp.exe 2844 Fkjdopeh.exe 2804 Findhdcb.exe 1312 Gqlebf32.exe 2368 Gmbfggdo.exe 1812 Gfkkpmko.exe 2652 Hfpdkl32.exe 1480 Hphidanj.exe 2016 Hipmmg32.exe 2196 Hhejnc32.exe 1652 Hnbopmnm.exe 2964 Hndlem32.exe 512 Ihmpobck.exe 1704 Ibfaopoi.exe 3052 Idfnicfl.exe 1588 Iibfajdc.exe 976 Ibmgpoia.exe 1864 Jlelhe32.exe 1300 Jdaqmg32.exe 3028 Jdcmbgkj.exe 2260 Jpjngh32.exe 1720 Jjbbpmgo.exe 1760 Jckgicnp.exe 2052 Kcmcoblm.exe 2984 Kpadhg32.exe 2488 Klhemhpk.exe 2620 Khoebi32.exe 2500 Kbgjkn32.exe 1584 Kllnhg32.exe 1944 Kgfoie32.exe 2848 Lqncaj32.exe 1972 Ljghjpfe.exe 1520 Lcomce32.exe 1532 Ldoimh32.exe 1204 Lngnfnji.exe 1336 Lfbbjpgd.exe 2360 Lokgcf32.exe 2144 Mmogmjmn.exe 1560 Nfdkoc32.exe 2640 Ndhlhg32.exe 2060 Niedqnen.exe 2124 Nallalep.exe 1276 Nfidjbdg.exe 824 Nlfmbibo.exe 1620 Nfkapb32.exe 2740 Nmejllia.exe 2152 Noffdd32.exe 2312 Nfnneb32.exe 1740 Ohojmjep.exe 3020 Obdojcef.exe 2696 Ohagbj32.exe 1576 Okpcoe32.exe 2392 Oeehln32.exe 2484 Oonldcih.exe 2644 Oehdan32.exe 956 Oopijc32.exe 1912 Ohhmcinf.exe 2464 Omefkplm.exe 1400 Ppcbgkka.exe 240 Pilfpqaa.exe 1732 Pcdkif32.exe -
Loads dropped DLL 64 IoCs
pid Process 1908 5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe 1908 5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe 2096 Ecfldoph.exe 2096 Ecfldoph.exe 2992 Eqjmncna.exe 2992 Eqjmncna.exe 2604 Foafdoag.exe 2604 Foafdoag.exe 2556 Fmegncpp.exe 2556 Fmegncpp.exe 2844 Fkjdopeh.exe 2844 Fkjdopeh.exe 2804 Findhdcb.exe 2804 Findhdcb.exe 1312 Gqlebf32.exe 1312 Gqlebf32.exe 2368 Gmbfggdo.exe 2368 Gmbfggdo.exe 1812 Gfkkpmko.exe 1812 Gfkkpmko.exe 2652 Hfpdkl32.exe 2652 Hfpdkl32.exe 1480 Hphidanj.exe 1480 Hphidanj.exe 2016 Hipmmg32.exe 2016 Hipmmg32.exe 2196 Hhejnc32.exe 2196 Hhejnc32.exe 1652 Hnbopmnm.exe 1652 Hnbopmnm.exe 2964 Hndlem32.exe 2964 Hndlem32.exe 512 Ihmpobck.exe 512 Ihmpobck.exe 1704 Ibfaopoi.exe 1704 Ibfaopoi.exe 3052 Idfnicfl.exe 3052 Idfnicfl.exe 1588 Iibfajdc.exe 1588 Iibfajdc.exe 976 Ibmgpoia.exe 976 Ibmgpoia.exe 1864 Jlelhe32.exe 1864 Jlelhe32.exe 1300 Jdaqmg32.exe 1300 Jdaqmg32.exe 3028 Jdcmbgkj.exe 3028 Jdcmbgkj.exe 2260 Jpjngh32.exe 2260 Jpjngh32.exe 1720 Jjbbpmgo.exe 1720 Jjbbpmgo.exe 1760 Jckgicnp.exe 1760 Jckgicnp.exe 2052 Kcmcoblm.exe 2052 Kcmcoblm.exe 2984 Kpadhg32.exe 2984 Kpadhg32.exe 2488 Klhemhpk.exe 2488 Klhemhpk.exe 2620 Khoebi32.exe 2620 Khoebi32.exe 2500 Kbgjkn32.exe 2500 Kbgjkn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Onpeobjf.dll Kdbepm32.exe File created C:\Windows\SysWOW64\Ifkloned.dll Qkibcg32.exe File created C:\Windows\SysWOW64\Qggfio32.dll Mjfnomde.exe File created C:\Windows\SysWOW64\Bqlfaj32.exe Bffbdadk.exe File created C:\Windows\SysWOW64\Fkhibino.exe Fhgppnan.exe File opened for modification C:\Windows\SysWOW64\Jgabdlfb.exe Jojkco32.exe File created C:\Windows\SysWOW64\Mjhjdm32.exe Mjfnomde.exe File created C:\Windows\SysWOW64\Ofhjopbg.exe Olbfagca.exe File created C:\Windows\SysWOW64\Lhfefgkg.exe Lonpma32.exe File created C:\Windows\SysWOW64\Cgnnab32.exe Cmhjdiap.exe File created C:\Windows\SysWOW64\Gkcekfad.exe Gpidki32.exe File created C:\Windows\SysWOW64\Iaimipjl.exe Igqhpj32.exe File opened for modification C:\Windows\SysWOW64\Khldkllj.exe Jmipdo32.exe File created C:\Windows\SysWOW64\Jaknfc32.dll Ohagbj32.exe File created C:\Windows\SysWOW64\Plolgk32.exe Peedka32.exe File created C:\Windows\SysWOW64\Idicbbpi.exe Idgglb32.exe File created C:\Windows\SysWOW64\Knhoedke.dll Diidjpbe.exe File created C:\Windows\SysWOW64\Dilapopb.exe Dfmeccao.exe File created C:\Windows\SysWOW64\Ffhblm32.dll Fmegncpp.exe File created C:\Windows\SysWOW64\Jcidje32.dll Hfhcoj32.exe File created C:\Windows\SysWOW64\Iplfej32.dll Hcldhnkk.exe File created C:\Windows\SysWOW64\Nfkapb32.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Fphoebme.dll Cfcijf32.exe File opened for modification C:\Windows\SysWOW64\Hcldhnkk.exe Hmalldcn.exe File created C:\Windows\SysWOW64\Lonpma32.exe Kffldlne.exe File created C:\Windows\SysWOW64\Okpcoe32.exe Ohagbj32.exe File created C:\Windows\SysWOW64\Elebllmi.dll Becpap32.exe File opened for modification C:\Windows\SysWOW64\Dhpemm32.exe Dklddhka.exe File created C:\Windows\SysWOW64\Njmokcbh.dll Dncibp32.exe File opened for modification C:\Windows\SysWOW64\Hfhcoj32.exe Hmoofdea.exe File opened for modification C:\Windows\SysWOW64\Jlnklcej.exe Jgabdlfb.exe File opened for modification C:\Windows\SysWOW64\Mmicfh32.exe Mjhjdm32.exe File created C:\Windows\SysWOW64\Egpkbn32.dll Jdnmma32.exe File created C:\Windows\SysWOW64\Lpdonf32.dll Kkgahoel.exe File created C:\Windows\SysWOW64\Lpeeijod.dll Bfabnl32.exe File created C:\Windows\SysWOW64\Iknafhjb.exe Iaimipjl.exe File opened for modification C:\Windows\SysWOW64\Foafdoag.exe Eqjmncna.exe File opened for modification C:\Windows\SysWOW64\Jjbbpmgo.exe Jpjngh32.exe File opened for modification C:\Windows\SysWOW64\Ajeeeblb.exe Aggiigmn.exe File created C:\Windows\SysWOW64\Hffibceh.exe Hqiqjlga.exe File created C:\Windows\SysWOW64\Agacqb32.dll Hipmmg32.exe File opened for modification C:\Windows\SysWOW64\Cfcijf32.exe Clmdmm32.exe File created C:\Windows\SysWOW64\Hbfchh32.dll Onlahm32.exe File created C:\Windows\SysWOW64\Djgompkk.dll Ehmdgp32.exe File created C:\Windows\SysWOW64\Mjfnomde.exe Mkqqnq32.exe File opened for modification C:\Windows\SysWOW64\Ckjamgmk.exe Cfmhdpnc.exe File created C:\Windows\SysWOW64\Pbigmn32.exe Peefcjlg.exe File created C:\Windows\SysWOW64\Qfljkp32.exe Qobbofgn.exe File created C:\Windows\SysWOW64\Agbpnh32.exe Aqhhanig.exe File created C:\Windows\SysWOW64\Dhiomn32.exe Daofpchf.exe File created C:\Windows\SysWOW64\Hipmmg32.exe Hphidanj.exe File opened for modification C:\Windows\SysWOW64\Hfegij32.exe Hmmbqegc.exe File opened for modification C:\Windows\SysWOW64\Iliebpfc.exe Ieomef32.exe File created C:\Windows\SysWOW64\Dombicdm.dll Olbfagca.exe File created C:\Windows\SysWOW64\Dpjbgh32.exe Dfbnoc32.exe File created C:\Windows\SysWOW64\Agbbgqhh.exe Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Imggplgm.exe Ibacbcgg.exe File opened for modification C:\Windows\SysWOW64\Pcdkif32.exe Pilfpqaa.exe File opened for modification C:\Windows\SysWOW64\Eejopecj.exe Edibhmml.exe File created C:\Windows\SysWOW64\Gmqbcm32.dll Gbohehoj.exe File opened for modification C:\Windows\SysWOW64\Aggiigmn.exe Ajcipc32.exe File opened for modification C:\Windows\SysWOW64\Nhlgmd32.exe Nabopjmj.exe File created C:\Windows\SysWOW64\Bbjclbek.dll Alnalh32.exe File opened for modification C:\Windows\SysWOW64\Cgcnghpl.exe Cnkjnb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4376 4312 WerFault.exe 413 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egmabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbakd32.dll" Nallalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaknfc32.dll" Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfkkpmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmhch32.dll" Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpicle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfplfp.dll" Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbaepf32.dll" Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omppei32.dll" Kgfoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmcopebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adqaqk32.dll" Nefdpjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkhibino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeaiio32.dll" Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqbijmn.dll" Nmcopebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hegpjaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfnneb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhilkege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omefkplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpkmcldj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajhddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhebgh32.dll" Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggajf32.dll" Oeaqig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjleclph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkigoimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpmhc32.dll" Danpemej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdaaanl.dll" Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdnfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhbnbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Diidjpbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Illbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loqhnifk.dll" Iibfajdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnqjnhge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onqkclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anljck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kllnhg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2096 1908 5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe 28 PID 1908 wrote to memory of 2096 1908 5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe 28 PID 1908 wrote to memory of 2096 1908 5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe 28 PID 1908 wrote to memory of 2096 1908 5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe 28 PID 2096 wrote to memory of 2992 2096 Ecfldoph.exe 29 PID 2096 wrote to memory of 2992 2096 Ecfldoph.exe 29 PID 2096 wrote to memory of 2992 2096 Ecfldoph.exe 29 PID 2096 wrote to memory of 2992 2096 Ecfldoph.exe 29 PID 2992 wrote to memory of 2604 2992 Eqjmncna.exe 30 PID 2992 wrote to memory of 2604 2992 Eqjmncna.exe 30 PID 2992 wrote to memory of 2604 2992 Eqjmncna.exe 30 PID 2992 wrote to memory of 2604 2992 Eqjmncna.exe 30 PID 2604 wrote to memory of 2556 2604 Foafdoag.exe 31 PID 2604 wrote to memory of 2556 2604 Foafdoag.exe 31 PID 2604 wrote to memory of 2556 2604 Foafdoag.exe 31 PID 2604 wrote to memory of 2556 2604 Foafdoag.exe 31 PID 2556 wrote to memory of 2844 2556 Fmegncpp.exe 32 PID 2556 wrote to memory of 2844 2556 Fmegncpp.exe 32 PID 2556 wrote to memory of 2844 2556 Fmegncpp.exe 32 PID 2556 wrote to memory of 2844 2556 Fmegncpp.exe 32 PID 2844 wrote to memory of 2804 2844 Fkjdopeh.exe 33 PID 2844 wrote to memory of 2804 2844 Fkjdopeh.exe 33 PID 2844 wrote to memory of 2804 2844 Fkjdopeh.exe 33 PID 2844 wrote to memory of 2804 2844 Fkjdopeh.exe 33 PID 2804 wrote to memory of 1312 2804 Findhdcb.exe 34 PID 2804 wrote to memory of 1312 2804 Findhdcb.exe 34 PID 2804 wrote to memory of 1312 2804 Findhdcb.exe 34 PID 2804 wrote to memory of 1312 2804 Findhdcb.exe 34 PID 1312 wrote to memory of 2368 1312 Gqlebf32.exe 35 PID 1312 wrote to memory of 2368 1312 Gqlebf32.exe 35 PID 1312 wrote to memory of 2368 1312 Gqlebf32.exe 35 PID 1312 wrote to memory of 2368 1312 Gqlebf32.exe 35 PID 2368 wrote to memory of 1812 2368 Gmbfggdo.exe 36 PID 2368 wrote to memory of 1812 2368 Gmbfggdo.exe 36 PID 2368 wrote to memory of 1812 2368 Gmbfggdo.exe 36 PID 2368 wrote to memory of 1812 2368 Gmbfggdo.exe 36 PID 1812 wrote to memory of 2652 1812 Gfkkpmko.exe 37 PID 1812 wrote to memory of 2652 1812 Gfkkpmko.exe 37 PID 1812 wrote to memory of 2652 1812 Gfkkpmko.exe 37 PID 1812 wrote to memory of 2652 1812 Gfkkpmko.exe 37 PID 2652 wrote to memory of 1480 2652 Hfpdkl32.exe 38 PID 2652 wrote to memory of 1480 2652 Hfpdkl32.exe 38 PID 2652 wrote to memory of 1480 2652 Hfpdkl32.exe 38 PID 2652 wrote to memory of 1480 2652 Hfpdkl32.exe 38 PID 1480 wrote to memory of 2016 1480 Hphidanj.exe 39 PID 1480 wrote to memory of 2016 1480 Hphidanj.exe 39 PID 1480 wrote to memory of 2016 1480 Hphidanj.exe 39 PID 1480 wrote to memory of 2016 1480 Hphidanj.exe 39 PID 2016 wrote to memory of 2196 2016 Hipmmg32.exe 40 PID 2016 wrote to memory of 2196 2016 Hipmmg32.exe 40 PID 2016 wrote to memory of 2196 2016 Hipmmg32.exe 40 PID 2016 wrote to memory of 2196 2016 Hipmmg32.exe 40 PID 2196 wrote to memory of 1652 2196 Hhejnc32.exe 41 PID 2196 wrote to memory of 1652 2196 Hhejnc32.exe 41 PID 2196 wrote to memory of 1652 2196 Hhejnc32.exe 41 PID 2196 wrote to memory of 1652 2196 Hhejnc32.exe 41 PID 1652 wrote to memory of 2964 1652 Hnbopmnm.exe 42 PID 1652 wrote to memory of 2964 1652 Hnbopmnm.exe 42 PID 1652 wrote to memory of 2964 1652 Hnbopmnm.exe 42 PID 1652 wrote to memory of 2964 1652 Hnbopmnm.exe 42 PID 2964 wrote to memory of 512 2964 Hndlem32.exe 43 PID 2964 wrote to memory of 512 2964 Hndlem32.exe 43 PID 2964 wrote to memory of 512 2964 Hndlem32.exe 43 PID 2964 wrote to memory of 512 2964 Hndlem32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5700b73a2474bdd6fe1c694b63aa0c30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:512 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe35⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe37⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe38⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe41⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe42⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe43⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe45⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe47⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe49⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe51⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe53⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe54⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe56⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe57⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe58⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe60⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe63⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:240 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe65⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:424 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe69⤵PID:884
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe71⤵PID:2908
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe72⤵PID:972
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe73⤵PID:1832
-
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe74⤵
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe75⤵PID:1224
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe76⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe77⤵PID:2708
-
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe78⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe79⤵PID:2568
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe80⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe81⤵PID:1060
-
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe82⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe83⤵PID:2080
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe84⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe85⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe86⤵PID:2040
-
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe88⤵PID:856
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe89⤵PID:1220
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe91⤵PID:1604
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe94⤵PID:1596
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe95⤵PID:308
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe96⤵PID:2524
-
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe97⤵PID:1856
-
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe99⤵PID:2544
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe100⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe101⤵PID:1344
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe102⤵PID:2064
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe103⤵PID:1352
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe104⤵PID:3044
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe105⤵PID:2628
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe106⤵PID:1592
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe107⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe108⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe109⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe110⤵PID:2712
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe111⤵PID:2308
-
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe112⤵PID:1388
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe115⤵PID:2736
-
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe116⤵PID:2460
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe117⤵
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe119⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe120⤵PID:1016
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe122⤵PID:2076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-