Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 17:49
Behavioral task
behavioral1
Sample
b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe
-
Size
96KB
-
MD5
b0eef250a6e80331d1684fb476797ff0
-
SHA1
08bfad541a82dbe695421d35184d9cff068031f3
-
SHA256
865a6958c8707ddeec381a0f53523192c33ced97211cbc0f77df969d861fa676
-
SHA512
194be31e8a032757c8df4b4087cac4a943ec17e8246ac93ea1d9f546491f4d6a7f4ac1f12dc14ba6781223b0f802b26025caaf1aa71da6d74d4a8b630d54e3da
-
SSDEEP
1536:qsYJTDSwC4TV1KznsqEnbQcDrb9tMhw2XI2LRaIZTJ+7LhkiB0MPiKeEAgH:qTTDVV10n8n86Vu9XZRaMU7uihJ5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnkbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpebmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dncibp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaghki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofcbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okbpde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbcidmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkipao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdkoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmejllia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padhdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaghki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfoaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edidqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcnojnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnifd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfegp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phklaacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcmap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfehhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daofpchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmbek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flapkmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inojhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipmhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqnkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqbln32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b000000015a2d-5.dat family_berbew behavioral1/files/0x002a000000015c3c-19.dat family_berbew behavioral1/files/0x0007000000015cb9-32.dat family_berbew behavioral1/files/0x0009000000015e02-46.dat family_berbew behavioral1/files/0x00050000000186a0-61.dat family_berbew behavioral1/files/0x0006000000018ae8-77.dat family_berbew behavioral1/files/0x0006000000018b33-92.dat family_berbew behavioral1/memory/2376-98-0x00000000003C0000-0x00000000003FC000-memory.dmp family_berbew behavioral1/files/0x0006000000018b42-108.dat family_berbew behavioral1/memory/1276-114-0x00000000001B0000-0x00000000001EC000-memory.dmp family_berbew behavioral1/files/0x0006000000018b6a-124.dat family_berbew behavioral1/files/0x0006000000018b96-141.dat family_berbew behavioral1/files/0x0006000000018d06-154.dat family_berbew behavioral1/memory/2376-163-0x00000000003C0000-0x00000000003FC000-memory.dmp family_berbew behavioral1/memory/2284-166-0x00000000001B0000-0x00000000001EC000-memory.dmp family_berbew behavioral1/files/0x00050000000192f4-171.dat family_berbew behavioral1/files/0x0005000000019333-187.dat family_berbew behavioral1/files/0x0005000000019377-202.dat family_berbew behavioral1/files/0x00050000000193b0-216.dat family_berbew behavioral1/files/0x000500000001946b-232.dat family_berbew behavioral1/memory/2144-240-0x00000000003C0000-0x00000000003FC000-memory.dmp family_berbew behavioral1/memory/2284-238-0x00000000001B0000-0x00000000001EC000-memory.dmp family_berbew behavioral1/files/0x0005000000019473-252.dat family_berbew behavioral1/files/0x00050000000194a4-261.dat family_berbew behavioral1/memory/1788-266-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x00040000000194d8-276.dat family_berbew behavioral1/files/0x00050000000194e8-284.dat family_berbew behavioral1/files/0x00050000000194ee-299.dat family_berbew behavioral1/memory/980-312-0x00000000001B0000-0x00000000001EC000-memory.dmp family_berbew behavioral1/files/0x00050000000194f2-307.dat family_berbew behavioral1/files/0x000500000001950c-320.dat family_berbew behavioral1/files/0x0005000000019547-335.dat family_berbew behavioral1/files/0x000500000001959c-346.dat family_berbew behavioral1/files/0x00050000000195a2-357.dat family_berbew behavioral1/files/0x00050000000195a6-366.dat family_berbew behavioral1/files/0x00050000000195a8-377.dat family_berbew behavioral1/files/0x00050000000195aa-388.dat family_berbew behavioral1/files/0x00050000000195ff-397.dat family_berbew behavioral1/files/0x00050000000196d8-409.dat family_berbew behavioral1/files/0x0005000000019bd6-420.dat family_berbew behavioral1/files/0x0005000000019bd8-430.dat family_berbew behavioral1/files/0x0005000000019cba-441.dat family_berbew behavioral1/files/0x0005000000019d4d-454.dat family_berbew behavioral1/files/0x0005000000019f42-463.dat family_berbew behavioral1/files/0x000500000001a00c-476.dat family_berbew behavioral1/files/0x000500000001a04c-484.dat family_berbew behavioral1/files/0x000500000001a31e-494.dat family_berbew behavioral1/files/0x000500000001a3c5-503.dat family_berbew behavioral1/files/0x000500000001a3cd-516.dat family_berbew behavioral1/files/0x000500000001a40b-525.dat family_berbew behavioral1/files/0x000500000001a42b-537.dat family_berbew behavioral1/files/0x000500000001a432-546.dat family_berbew behavioral1/files/0x000500000001a441-557.dat family_berbew behavioral1/files/0x000500000001a445-568.dat family_berbew behavioral1/files/0x000500000001a449-579.dat family_berbew behavioral1/files/0x000500000001a44d-590.dat family_berbew behavioral1/files/0x000500000001a451-602.dat family_berbew behavioral1/files/0x000500000001a455-611.dat family_berbew behavioral1/files/0x000500000001a459-623.dat family_berbew behavioral1/files/0x000500000001a45d-632.dat family_berbew behavioral1/files/0x000500000001a461-646.dat family_berbew behavioral1/files/0x000500000001a465-655.dat family_berbew behavioral1/files/0x000500000001a46a-665.dat family_berbew behavioral1/files/0x000500000001a46e-674.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2904 Egmojnlf.exe 2100 Epgphcqd.exe 2580 Eolmip32.exe 2868 Ffibkj32.exe 2660 Fhikme32.exe 2376 Fbdlkj32.exe 1276 Gqiimfam.exe 1008 Gmbfggdo.exe 2668 Gljpncgc.exe 2284 Hpjeialg.exe 1912 Hnpbjnpo.exe 1216 Hnbopmnm.exe 2084 Iphecepe.exe 2220 Ifdjeoep.exe 2144 Ieigfk32.exe 2212 Jkhldafl.exe 1788 Jagnlkjd.exe 980 Jkpbdq32.exe 2192 Kdjccf32.exe 900 Kfnmpn32.exe 1744 Kcdjoaee.exe 2180 Knnkpobc.exe 2812 Lghlndfa.exe 2856 Lqcmmjko.exe 3008 Lcdfnehp.exe 1884 Mpmcielb.exe 2716 Mbnljqic.exe 2700 Mihdgkpp.exe 2388 Mlhnifmq.exe 2372 Mccbmh32.exe 2484 Nfdkoc32.exe 1124 Ndhlhg32.exe 764 Nmqpam32.exe 2464 Nmcmgm32.exe 2988 Ndmecgba.exe 1740 Nmejllia.exe 1476 Nbbbdcgi.exe 2148 Oeckfndj.exe 1244 Oajlkojn.exe 2012 Okbpde32.exe 584 Oehdan32.exe 2712 Oanefo32.exe 2948 Oaqbln32.exe 1424 Pkifdd32.exe 1700 Ppfomk32.exe 1212 Pecgea32.exe 1872 Phcpgm32.exe 1984 Pjcmap32.exe 2280 Phhjblpa.exe 1036 Qaqnkafa.exe 1600 Qackpado.exe 3012 Ajnpecbj.exe 2568 Agbpnh32.exe 2560 Adfqgl32.exe 2548 Anneqafn.exe 2536 Ajeeeblb.exe 588 Acnjnh32.exe 572 Aodkci32.exe 1508 Bimoloog.exe 2816 Bbeded32.exe 948 Bkmhnjlh.exe 1948 Befmfpbi.exe 1972 Bnnaoe32.exe 1148 Bkbaii32.exe -
Loads dropped DLL 64 IoCs
pid Process 2648 b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe 2648 b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe 2904 Egmojnlf.exe 2904 Egmojnlf.exe 2100 Epgphcqd.exe 2100 Epgphcqd.exe 2580 Eolmip32.exe 2580 Eolmip32.exe 2868 Ffibkj32.exe 2868 Ffibkj32.exe 2660 Fhikme32.exe 2660 Fhikme32.exe 2376 Fbdlkj32.exe 2376 Fbdlkj32.exe 1276 Gqiimfam.exe 1276 Gqiimfam.exe 1008 Gmbfggdo.exe 1008 Gmbfggdo.exe 2668 Gljpncgc.exe 2668 Gljpncgc.exe 2284 Hpjeialg.exe 2284 Hpjeialg.exe 1912 Hnpbjnpo.exe 1912 Hnpbjnpo.exe 1216 Hnbopmnm.exe 1216 Hnbopmnm.exe 2084 Iphecepe.exe 2084 Iphecepe.exe 2220 Ifdjeoep.exe 2220 Ifdjeoep.exe 2144 Ieigfk32.exe 2144 Ieigfk32.exe 2212 Jkhldafl.exe 2212 Jkhldafl.exe 1788 Jagnlkjd.exe 1788 Jagnlkjd.exe 980 Jkpbdq32.exe 980 Jkpbdq32.exe 2192 Kdjccf32.exe 2192 Kdjccf32.exe 900 Kfnmpn32.exe 900 Kfnmpn32.exe 1744 Kcdjoaee.exe 1744 Kcdjoaee.exe 2180 Knnkpobc.exe 2180 Knnkpobc.exe 2812 Lghlndfa.exe 2812 Lghlndfa.exe 2856 Lqcmmjko.exe 2856 Lqcmmjko.exe 3008 Lcdfnehp.exe 3008 Lcdfnehp.exe 1884 Mpmcielb.exe 1884 Mpmcielb.exe 2716 Mbnljqic.exe 2716 Mbnljqic.exe 2700 Mihdgkpp.exe 2700 Mihdgkpp.exe 2388 Mlhnifmq.exe 2388 Mlhnifmq.exe 2372 Mccbmh32.exe 2372 Mccbmh32.exe 2484 Nfdkoc32.exe 2484 Nfdkoc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ehnfpifm.exe Efljhq32.exe File opened for modification C:\Windows\SysWOW64\Gljpncgc.exe Gmbfggdo.exe File created C:\Windows\SysWOW64\Agbpnh32.exe Ajnpecbj.exe File created C:\Windows\SysWOW64\Bgdkkc32.exe Bdfooh32.exe File opened for modification C:\Windows\SysWOW64\Cqfbjhgf.exe Cfanmogq.exe File opened for modification C:\Windows\SysWOW64\Klcgpkhh.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Ibebjn32.dll Hnpbjnpo.exe File created C:\Windows\SysWOW64\Flfifa32.dll Anjnnk32.exe File created C:\Windows\SysWOW64\Dnqlmq32.exe Cmppehkh.exe File created C:\Windows\SysWOW64\Jpepkk32.exe Jmfcop32.exe File created C:\Windows\SysWOW64\Gefcmp32.dll Plbkfdba.exe File created C:\Windows\SysWOW64\Cnfdih32.dll Cqaiph32.exe File created C:\Windows\SysWOW64\Loeccoai.dll Feachqgb.exe File created C:\Windows\SysWOW64\Kcacjhob.dll Lonpma32.exe File created C:\Windows\SysWOW64\Jjbpqjma.dll Giaidnkf.exe File created C:\Windows\SysWOW64\Ojojafnk.dll Ijqoilii.exe File created C:\Windows\SysWOW64\Qdompf32.exe Qobdgo32.exe File created C:\Windows\SysWOW64\Iajfhi32.dll Giipab32.exe File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Bdcifi32.exe File created C:\Windows\SysWOW64\Kfodfh32.exe Kenhopmf.exe File created C:\Windows\SysWOW64\Nnnbni32.exe Ncinap32.exe File created C:\Windows\SysWOW64\Bbodaa32.dll Jkpbdq32.exe File created C:\Windows\SysWOW64\Nfllknkp.dll Oanefo32.exe File opened for modification C:\Windows\SysWOW64\Jialfgcc.exe Jpigma32.exe File opened for modification C:\Windows\SysWOW64\Olpilg32.exe Ojomdoof.exe File opened for modification C:\Windows\SysWOW64\Fgjjad32.exe Fppaej32.exe File created C:\Windows\SysWOW64\Ghjggnbo.dll Jkhldafl.exe File opened for modification C:\Windows\SysWOW64\Oehdan32.exe Okbpde32.exe File created C:\Windows\SysWOW64\Dfphcj32.exe Dkigoimd.exe File created C:\Windows\SysWOW64\Ekdehk32.dll Fajbke32.exe File opened for modification C:\Windows\SysWOW64\Bkhhhd32.exe Andgop32.exe File created C:\Windows\SysWOW64\Jqgaapqd.dll Akpkmo32.exe File created C:\Windows\SysWOW64\Elgfkhpi.exe Eihjolae.exe File opened for modification C:\Windows\SysWOW64\Kipmhc32.exe Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Ppfomk32.exe Pkifdd32.exe File created C:\Windows\SysWOW64\Hjlioj32.exe Gbadjg32.exe File created C:\Windows\SysWOW64\Ollopmbl.dll Lbcbjlmb.exe File opened for modification C:\Windows\SysWOW64\Pkaehb32.exe Paiaplin.exe File opened for modification C:\Windows\SysWOW64\Giaidnkf.exe Gcgqgd32.exe File opened for modification C:\Windows\SysWOW64\Hcdnhoac.exe Hjlioj32.exe File opened for modification C:\Windows\SysWOW64\Ijqoilii.exe Iedfqeka.exe File created C:\Windows\SysWOW64\Mimpkcdn.exe Mkipao32.exe File opened for modification C:\Windows\SysWOW64\Adfbpega.exe Aiaoclgl.exe File opened for modification C:\Windows\SysWOW64\Enlidg32.exe Eaeipfei.exe File opened for modification C:\Windows\SysWOW64\Lfmbek32.exe Lhiakf32.exe File created C:\Windows\SysWOW64\Pihbeaea.dll Kipmhc32.exe File opened for modification C:\Windows\SysWOW64\Nnnbni32.exe Ncinap32.exe File created C:\Windows\SysWOW64\Hlhjdd32.dll Ohbikbkb.exe File opened for modification C:\Windows\SysWOW64\Glklejoo.exe Feachqgb.exe File created C:\Windows\SysWOW64\Fhikme32.exe Ffibkj32.exe File opened for modification C:\Windows\SysWOW64\Andgop32.exe Adlcfjgh.exe File opened for modification C:\Windows\SysWOW64\Dcllbhdn.exe Dmbcen32.exe File created C:\Windows\SysWOW64\Jhjbqo32.exe Imaapa32.exe File created C:\Windows\SysWOW64\Epmadeed.dll Deenjpcd.exe File created C:\Windows\SysWOW64\Bghgmd32.dll Edlafebn.exe File opened for modification C:\Windows\SysWOW64\Fcqjfeja.exe Faonom32.exe File created C:\Windows\SysWOW64\Cmlcld32.dll Eaeipfei.exe File created C:\Windows\SysWOW64\Apoldh32.dll Ggicgopd.exe File created C:\Windows\SysWOW64\Gconbj32.exe Gfkmie32.exe File created C:\Windows\SysWOW64\Hlklph32.dll Pfbfhm32.exe File opened for modification C:\Windows\SysWOW64\Hmalldcn.exe Hpnkbpdd.exe File opened for modification C:\Windows\SysWOW64\Ihniaa32.exe Hbaaik32.exe File created C:\Windows\SysWOW64\Cbblda32.exe Cfkloq32.exe File created C:\Windows\SysWOW64\Hghillnd.exe Hbkqdepm.exe -
Program crash 1 IoCs
pid pid_target Process 4672 4780 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijoclhk.dll" Momfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcohdeco.dll" Fijbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijqoilii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll" Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibipmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhdnf32.dll" Pioeoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llomfpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anadojlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbceme32.dll" Glklejoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkmhnjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnnaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adlcfjgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgjjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpolbgp.dll" Nmejllia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdnmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnaiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgono32.dll" Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfaalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifmimch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpfjomf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbbdcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbpnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oadkej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiflohqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiilephi.dll" Lnecigcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqdfehii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncnhl32.dll" Mnaiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihjolae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgikembl.dll" Ponklpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponklpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdoime32.dll" Fppaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohdmdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opfegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhbpkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbodaa32.dll" Jkpbdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnoogbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djjjga32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2904 2648 b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe 28 PID 2648 wrote to memory of 2904 2648 b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe 28 PID 2648 wrote to memory of 2904 2648 b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe 28 PID 2648 wrote to memory of 2904 2648 b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe 28 PID 2904 wrote to memory of 2100 2904 Egmojnlf.exe 29 PID 2904 wrote to memory of 2100 2904 Egmojnlf.exe 29 PID 2904 wrote to memory of 2100 2904 Egmojnlf.exe 29 PID 2904 wrote to memory of 2100 2904 Egmojnlf.exe 29 PID 2100 wrote to memory of 2580 2100 Epgphcqd.exe 30 PID 2100 wrote to memory of 2580 2100 Epgphcqd.exe 30 PID 2100 wrote to memory of 2580 2100 Epgphcqd.exe 30 PID 2100 wrote to memory of 2580 2100 Epgphcqd.exe 30 PID 2580 wrote to memory of 2868 2580 Eolmip32.exe 31 PID 2580 wrote to memory of 2868 2580 Eolmip32.exe 31 PID 2580 wrote to memory of 2868 2580 Eolmip32.exe 31 PID 2580 wrote to memory of 2868 2580 Eolmip32.exe 31 PID 2868 wrote to memory of 2660 2868 Ffibkj32.exe 32 PID 2868 wrote to memory of 2660 2868 Ffibkj32.exe 32 PID 2868 wrote to memory of 2660 2868 Ffibkj32.exe 32 PID 2868 wrote to memory of 2660 2868 Ffibkj32.exe 32 PID 2660 wrote to memory of 2376 2660 Fhikme32.exe 33 PID 2660 wrote to memory of 2376 2660 Fhikme32.exe 33 PID 2660 wrote to memory of 2376 2660 Fhikme32.exe 33 PID 2660 wrote to memory of 2376 2660 Fhikme32.exe 33 PID 2376 wrote to memory of 1276 2376 Fbdlkj32.exe 34 PID 2376 wrote to memory of 1276 2376 Fbdlkj32.exe 34 PID 2376 wrote to memory of 1276 2376 Fbdlkj32.exe 34 PID 2376 wrote to memory of 1276 2376 Fbdlkj32.exe 34 PID 1276 wrote to memory of 1008 1276 Gqiimfam.exe 35 PID 1276 wrote to memory of 1008 1276 Gqiimfam.exe 35 PID 1276 wrote to memory of 1008 1276 Gqiimfam.exe 35 PID 1276 wrote to memory of 1008 1276 Gqiimfam.exe 35 PID 1008 wrote to memory of 2668 1008 Gmbfggdo.exe 36 PID 1008 wrote to memory of 2668 1008 Gmbfggdo.exe 36 PID 1008 wrote to memory of 2668 1008 Gmbfggdo.exe 36 PID 1008 wrote to memory of 2668 1008 Gmbfggdo.exe 36 PID 2668 wrote to memory of 2284 2668 Gljpncgc.exe 37 PID 2668 wrote to memory of 2284 2668 Gljpncgc.exe 37 PID 2668 wrote to memory of 2284 2668 Gljpncgc.exe 37 PID 2668 wrote to memory of 2284 2668 Gljpncgc.exe 37 PID 2284 wrote to memory of 1912 2284 Hpjeialg.exe 38 PID 2284 wrote to memory of 1912 2284 Hpjeialg.exe 38 PID 2284 wrote to memory of 1912 2284 Hpjeialg.exe 38 PID 2284 wrote to memory of 1912 2284 Hpjeialg.exe 38 PID 1912 wrote to memory of 1216 1912 Hnpbjnpo.exe 39 PID 1912 wrote to memory of 1216 1912 Hnpbjnpo.exe 39 PID 1912 wrote to memory of 1216 1912 Hnpbjnpo.exe 39 PID 1912 wrote to memory of 1216 1912 Hnpbjnpo.exe 39 PID 1216 wrote to memory of 2084 1216 Hnbopmnm.exe 40 PID 1216 wrote to memory of 2084 1216 Hnbopmnm.exe 40 PID 1216 wrote to memory of 2084 1216 Hnbopmnm.exe 40 PID 1216 wrote to memory of 2084 1216 Hnbopmnm.exe 40 PID 2084 wrote to memory of 2220 2084 Iphecepe.exe 41 PID 2084 wrote to memory of 2220 2084 Iphecepe.exe 41 PID 2084 wrote to memory of 2220 2084 Iphecepe.exe 41 PID 2084 wrote to memory of 2220 2084 Iphecepe.exe 41 PID 2220 wrote to memory of 2144 2220 Ifdjeoep.exe 42 PID 2220 wrote to memory of 2144 2220 Ifdjeoep.exe 42 PID 2220 wrote to memory of 2144 2220 Ifdjeoep.exe 42 PID 2220 wrote to memory of 2144 2220 Ifdjeoep.exe 42 PID 2144 wrote to memory of 2212 2144 Ieigfk32.exe 43 PID 2144 wrote to memory of 2212 2144 Ieigfk32.exe 43 PID 2144 wrote to memory of 2212 2144 Ieigfk32.exe 43 PID 2144 wrote to memory of 2212 2144 Ieigfk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b0eef250a6e80331d1684fb476797ff0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe33⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe34⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe35⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe36⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe39⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe40⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe42⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe46⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe47⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe48⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe50⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe52⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe55⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe56⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe57⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe58⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe59⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe60⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe63⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe65⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe66⤵PID:2096
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe67⤵PID:2156
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe68⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe69⤵PID:1172
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe70⤵PID:708
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe71⤵PID:1104
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1436 -
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe74⤵PID:2004
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe75⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe76⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe77⤵PID:2308
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe78⤵PID:3060
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe79⤵PID:2976
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe80⤵PID:2784
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe82⤵PID:2588
-
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe84⤵PID:1652
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe85⤵PID:1932
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe87⤵PID:2228
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe88⤵PID:2200
-
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe89⤵PID:2120
-
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe90⤵PID:1064
-
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe91⤵PID:1084
-
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe92⤵PID:596
-
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe93⤵PID:580
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe94⤵PID:2864
-
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe95⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe97⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe99⤵PID:1640
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe100⤵PID:1648
-
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe103⤵PID:1636
-
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe104⤵PID:2076
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe105⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe106⤵PID:696
-
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe108⤵PID:908
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe109⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe111⤵PID:2852
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe112⤵PID:2504
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe113⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe114⤵PID:2416
-
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe115⤵PID:1556
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe116⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:540 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe118⤵PID:2720
-
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe119⤵PID:2056
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe120⤵PID:2304
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-