Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 15:19
Behavioral task
behavioral1
Sample
135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe
-
Size
109KB
-
MD5
135bbd5de2f6e7df2e97ab8f4bd311f0
-
SHA1
75b02d88d0698031ce21721de9cc65cbc5a9d754
-
SHA256
862b4f648cb5922e3485c3d9e1e3e6484aaedebfe4c3d439e081922d8fea08bd
-
SHA512
5703d006e7ede69b249d4acf3a0e378ebc913a2f9f2c58deda5f9425ceeb36c47918ff8f7760e844ce26f55102e057da406898750ab4e858e6543658a335a38e
-
SSDEEP
3072:XZEMAwD3Tqo44MkusSfKXJ9hLCqwzBu1DjHLMVDqqkSp:X3Tqqu7KJ9pwtu1DjrFqh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhjoof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqpmimbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnmpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqnapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mopdpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oopijc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopahjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfchqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmecgba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijidfpci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhmaeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggfbpaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhiiloh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipomlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjeglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmdbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgokfnij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einlmkhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgohna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndfpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Padccpal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcmgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooicid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnladjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhpfdaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbbomjnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felcbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnkcpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcllbhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nppofado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eikfdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmecgba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njchfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombddbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcblqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dekdikhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdpnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdfimji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkqiek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijkje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnqdhga.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1084-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1084-6-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x000a00000001466c-10.dat family_berbew behavioral1/memory/2176-22-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x000c000000014fe1-29.dat family_berbew behavioral1/files/0x000700000001560a-38.dat family_berbew behavioral1/files/0x0008000000015a98-47.dat family_berbew behavioral1/memory/2588-56-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015e41-61.dat family_berbew behavioral1/files/0x0006000000015e6f-81.dat family_berbew behavioral1/files/0x0006000000015eaf-89.dat family_berbew behavioral1/memory/2416-97-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2452-83-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2356-82-0x00000000003B0000-0x00000000003F4000-memory.dmp family_berbew behavioral1/memory/2356-76-0x00000000003B0000-0x00000000003F4000-memory.dmp family_berbew behavioral1/files/0x000600000001604b-106.dat family_berbew behavioral1/files/0x0006000000016283-122.dat family_berbew behavioral1/files/0x0006000000016476-129.dat family_berbew behavioral1/files/0x000600000001663d-143.dat family_berbew behavioral1/files/0x0006000000016b5e-164.dat family_berbew behavioral1/files/0x0006000000016c10-174.dat family_berbew behavioral1/memory/1560-191-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1148-203-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016ca9-204.dat family_berbew behavioral1/files/0x0006000000016cd4-209.dat family_berbew behavioral1/memory/2916-227-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/memory/1232-250-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016d84-267.dat family_berbew behavioral1/memory/2852-272-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016e56-280.dat family_berbew behavioral1/memory/1568-300-0x0000000000450000-0x0000000000494000-memory.dmp family_berbew behavioral1/memory/1568-308-0x0000000000450000-0x0000000000494000-memory.dmp family_berbew behavioral1/memory/1016-318-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000018b15-323.dat family_berbew behavioral1/memory/1628-341-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2316-349-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2316-358-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/memory/2632-371-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2512-404-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2352-419-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/552-429-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001946f-432.dat family_berbew behavioral1/memory/2204-448-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019485-443.dat family_berbew behavioral1/memory/1828-442-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019410-421.dat family_berbew behavioral1/files/0x000500000001939b-412.dat family_berbew behavioral1/files/0x0005000000019368-399.dat family_berbew behavioral1/memory/2596-398-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001931b-388.dat family_berbew behavioral1/memory/2560-382-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000192c9-377.dat family_berbew behavioral1/memory/1084-459-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1200-475-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000194ea-478.dat family_berbew behavioral1/files/0x00050000000194ef-489.dat family_berbew behavioral1/files/0x00050000000194f4-500.dat family_berbew behavioral1/files/0x0005000000019570-520.dat family_berbew behavioral1/files/0x000500000001959e-530.dat family_berbew behavioral1/files/0x00050000000195a4-541.dat family_berbew behavioral1/files/0x00050000000195a7-552.dat family_berbew behavioral1/files/0x0005000000019646-583.dat family_berbew behavioral1/files/0x000500000001996e-593.dat family_berbew behavioral1/files/0x00050000000195ba-573.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2176 Efdhpjok.exe 2000 Fjbafi32.exe 2876 Foojop32.exe 2588 Fjdnlhco.exe 2356 Fhikme32.exe 2452 Fgohna32.exe 2416 Fkmqdpce.exe 884 Ggcaiqhj.exe 2332 Gcokiaji.exe 936 Gjicfk32.exe 768 Hfpdkl32.exe 1452 Hnkion32.exe 1972 Hipmmg32.exe 1560 Halbai32.exe 1148 Hlafnbal.exe 2916 Hhhgcc32.exe 2648 Hdoghdmd.exe 692 Hmglajcd.exe 1232 Ihmpobck.exe 1904 Imiigiab.exe 2852 Ifampo32.exe 1044 Ibhndp32.exe 1568 Iplnnd32.exe 816 Ifffkncm.exe 1016 Iapgkl32.exe 2224 Jkhldafl.exe 1628 Jlhhndno.exe 2316 Jdcmbgkj.exe 2492 Jdhgnf32.exe 2632 Kdjccf32.exe 2560 Kjglkm32.exe 2596 Kfnmpn32.exe 2512 Kpcqnf32.exe 2352 Khabghdl.exe 552 Kbigpn32.exe 1828 Lkakicam.exe 2204 Lbnpkmfg.exe 2104 Lqcmmjko.exe 1200 Maefamlh.exe 1612 Mjnjjbbh.exe 1496 Necogkbo.exe 2988 Nnkcpq32.exe 2420 Ndhlhg32.exe 676 Nmqpam32.exe 1520 Nbniid32.exe 1640 Nmcmgm32.exe 612 Ndmecgba.exe 2992 Nenakoho.exe 2996 Noffdd32.exe 2884 Oiljam32.exe 1736 Ooicid32.exe 1720 Oeckfndj.exe 2112 Okpcoe32.exe 1608 Oajlkojn.exe 1896 Okbpde32.exe 2476 Ogiaif32.exe 2772 Oopijc32.exe 2428 Ogknoe32.exe 568 Oijjka32.exe 584 Ppcbgkka.exe 1280 Pilfpqaa.exe 1784 Pdakniag.exe 2208 Pnjofo32.exe 1796 Poklngnf.exe -
Loads dropped DLL 64 IoCs
pid Process 1084 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe 1084 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe 2176 Efdhpjok.exe 2176 Efdhpjok.exe 2000 Fjbafi32.exe 2000 Fjbafi32.exe 2876 Foojop32.exe 2876 Foojop32.exe 2588 Fjdnlhco.exe 2588 Fjdnlhco.exe 2356 Fhikme32.exe 2356 Fhikme32.exe 2452 Fgohna32.exe 2452 Fgohna32.exe 2416 Fkmqdpce.exe 2416 Fkmqdpce.exe 884 Ggcaiqhj.exe 884 Ggcaiqhj.exe 2332 Gcokiaji.exe 2332 Gcokiaji.exe 936 Gjicfk32.exe 936 Gjicfk32.exe 768 Hfpdkl32.exe 768 Hfpdkl32.exe 1452 Hnkion32.exe 1452 Hnkion32.exe 1972 Hipmmg32.exe 1972 Hipmmg32.exe 1560 Halbai32.exe 1560 Halbai32.exe 1148 Hlafnbal.exe 1148 Hlafnbal.exe 2916 Hhhgcc32.exe 2916 Hhhgcc32.exe 2648 Hdoghdmd.exe 2648 Hdoghdmd.exe 692 Hmglajcd.exe 692 Hmglajcd.exe 1232 Ihmpobck.exe 1232 Ihmpobck.exe 1904 Imiigiab.exe 1904 Imiigiab.exe 2852 Ifampo32.exe 2852 Ifampo32.exe 1044 Ibhndp32.exe 1044 Ibhndp32.exe 1568 Iplnnd32.exe 1568 Iplnnd32.exe 816 Ifffkncm.exe 816 Ifffkncm.exe 1016 Iapgkl32.exe 1016 Iapgkl32.exe 2224 Jkhldafl.exe 2224 Jkhldafl.exe 1628 Jlhhndno.exe 1628 Jlhhndno.exe 2316 Jdcmbgkj.exe 2316 Jdcmbgkj.exe 2492 Jdhgnf32.exe 2492 Jdhgnf32.exe 2632 Kdjccf32.exe 2632 Kdjccf32.exe 2560 Kjglkm32.exe 2560 Kjglkm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pilfpqaa.exe Ppcbgkka.exe File created C:\Windows\SysWOW64\Enoamb32.dll Bofgii32.exe File opened for modification C:\Windows\SysWOW64\Cmmagpef.exe Cbgmigeq.exe File created C:\Windows\SysWOW64\Iphgln32.exe Ijkocg32.exe File opened for modification C:\Windows\SysWOW64\Mlelda32.exe Mdigoo32.exe File created C:\Windows\SysWOW64\Pmpbdm32.exe Pmmeon32.exe File created C:\Windows\SysWOW64\Dnpciaef.exe Cgfkmgnj.exe File created C:\Windows\SysWOW64\Jbpfnh32.exe Jelfdc32.exe File opened for modification C:\Windows\SysWOW64\Dgknkf32.exe Dekdikhc.exe File opened for modification C:\Windows\SysWOW64\Ombddbah.exe Ofilgh32.exe File created C:\Windows\SysWOW64\Anecfgdc.exe Qhkkim32.exe File opened for modification C:\Windows\SysWOW64\Efdhpjok.exe 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Lbafdlod.exe Jhbold32.exe File opened for modification C:\Windows\SysWOW64\Bbmcibjp.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Qobmnf32.dll Fggmldfp.exe File created C:\Windows\SysWOW64\Bplijcle.exe Bjbqmi32.exe File created C:\Windows\SysWOW64\Idjeonbj.dll Ddhaie32.exe File created C:\Windows\SysWOW64\Gogckopd.dll Mhdpnm32.exe File created C:\Windows\SysWOW64\Qcclhg32.dll Ogknoe32.exe File created C:\Windows\SysWOW64\Kdlbfien.dll Agpcihcf.exe File opened for modification C:\Windows\SysWOW64\Blkjkflb.exe Bogjaamh.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bgaebe32.exe File created C:\Windows\SysWOW64\Bjoaognb.dll Fepjea32.exe File created C:\Windows\SysWOW64\Jjfkmdlg.exe Imbjcpnn.exe File opened for modification C:\Windows\SysWOW64\Okinik32.exe Nbqjqehd.exe File opened for modification C:\Windows\SysWOW64\Afqhjj32.exe Aadobccg.exe File opened for modification C:\Windows\SysWOW64\Opfegp32.exe Nflchkii.exe File opened for modification C:\Windows\SysWOW64\Ckpckece.exe Cqfbjhgf.exe File created C:\Windows\SysWOW64\Fbimkpmm.exe Fpjaodmj.exe File created C:\Windows\SysWOW64\Hnkion32.exe Hfpdkl32.exe File created C:\Windows\SysWOW64\Gffeolhl.dll Coafko32.exe File created C:\Windows\SysWOW64\Eomgdlji.dll Eldbkbop.exe File created C:\Windows\SysWOW64\Jcdadhjb.exe Jnemfa32.exe File opened for modification C:\Windows\SysWOW64\Bnqned32.exe Bckjhl32.exe File opened for modification C:\Windows\SysWOW64\Omnipjni.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Bdedod32.dll Mhkfnlme.exe File opened for modification C:\Windows\SysWOW64\Aadobccg.exe Anecfgdc.exe File opened for modification C:\Windows\SysWOW64\Foojop32.exe Fjbafi32.exe File created C:\Windows\SysWOW64\Dacpkc32.exe Dkigoimd.exe File created C:\Windows\SysWOW64\Cofdbf32.dll Pmpbdm32.exe File created C:\Windows\SysWOW64\Hjojpeec.dll Anbmbi32.exe File opened for modification C:\Windows\SysWOW64\Ddhaie32.exe Cqleifna.exe File created C:\Windows\SysWOW64\Ickcibdp.dll Hdhbci32.exe File created C:\Windows\SysWOW64\Njeelc32.exe Nckmpicl.exe File created C:\Windows\SysWOW64\Nogobaio.dll Kdjccf32.exe File created C:\Windows\SysWOW64\Bajqfq32.exe Bkmhnjlh.exe File created C:\Windows\SysWOW64\Hopbda32.dll Olebgfao.exe File created C:\Windows\SysWOW64\Pbeainng.dll Ephdjeol.exe File opened for modification C:\Windows\SysWOW64\Jnemfa32.exe Igpaec32.exe File created C:\Windows\SysWOW64\Okinik32.exe Nbqjqehd.exe File created C:\Windows\SysWOW64\Diaaeepi.exe Dddimn32.exe File created C:\Windows\SysWOW64\Cpmahlfd.dll Calcpm32.exe File opened for modification C:\Windows\SysWOW64\Jjfkmdlg.exe Imbjcpnn.exe File created C:\Windows\SysWOW64\Mcodqkbi.exe Mlelda32.exe File opened for modification C:\Windows\SysWOW64\Pfhhflmg.exe Pnmdbi32.exe File created C:\Windows\SysWOW64\Keigbd32.dll Hnpgloog.exe File opened for modification C:\Windows\SysWOW64\Halbai32.exe Hipmmg32.exe File created C:\Windows\SysWOW64\Cmhglq32.exe Cgkocj32.exe File created C:\Windows\SysWOW64\Ojglhm32.exe Oaogognm.exe File created C:\Windows\SysWOW64\Ljnnefda.dll Kfnmpn32.exe File created C:\Windows\SysWOW64\Elooehob.dll Kpcqnf32.exe File created C:\Windows\SysWOW64\Ckmqbj32.dll Nmcmgm32.exe File opened for modification C:\Windows\SysWOW64\Djiqdb32.exe Dcohghbk.exe File created C:\Windows\SysWOW64\Fgohna32.exe Fhikme32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1540 1464 WerFault.exe 598 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdoghdmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiclkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Picojhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajhnb32.dll" Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mobaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjglkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajcipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmplbgpm.dll" Igceej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbkgbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqkmn32.dll" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adleoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhkfnlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll" Ebappk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agbpnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iphgln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ageompfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbomli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcqik32.dll" Aahimb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faiboc32.dll" Pdppqbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehkcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcmklhm.dll" Pckajebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqejl32.dll" Ibkmchbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfhhflmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mecglbfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obcffefa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kecjmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffemqioj.dll" Aicmadmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imiigiab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egncgo32.dll" Ojbbmnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkcqmgj.dll" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdiedagc.dll" Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eemnnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plhaeofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llmmpcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdaojbjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaceogh.dll" Afqhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnmpn32.dll" Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnnkldn.dll" Hcblqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbomli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghoijebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obcffefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npabemib.dll" Blgcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdkkcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bofgii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfpaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omcngamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epbpbnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dadbdkld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifhgh32.dll" Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opihgfop.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1084 wrote to memory of 2176 1084 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe 28 PID 1084 wrote to memory of 2176 1084 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe 28 PID 1084 wrote to memory of 2176 1084 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe 28 PID 1084 wrote to memory of 2176 1084 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2000 2176 Efdhpjok.exe 29 PID 2176 wrote to memory of 2000 2176 Efdhpjok.exe 29 PID 2176 wrote to memory of 2000 2176 Efdhpjok.exe 29 PID 2176 wrote to memory of 2000 2176 Efdhpjok.exe 29 PID 2000 wrote to memory of 2876 2000 Fjbafi32.exe 30 PID 2000 wrote to memory of 2876 2000 Fjbafi32.exe 30 PID 2000 wrote to memory of 2876 2000 Fjbafi32.exe 30 PID 2000 wrote to memory of 2876 2000 Fjbafi32.exe 30 PID 2876 wrote to memory of 2588 2876 Foojop32.exe 31 PID 2876 wrote to memory of 2588 2876 Foojop32.exe 31 PID 2876 wrote to memory of 2588 2876 Foojop32.exe 31 PID 2876 wrote to memory of 2588 2876 Foojop32.exe 31 PID 2588 wrote to memory of 2356 2588 Fjdnlhco.exe 32 PID 2588 wrote to memory of 2356 2588 Fjdnlhco.exe 32 PID 2588 wrote to memory of 2356 2588 Fjdnlhco.exe 32 PID 2588 wrote to memory of 2356 2588 Fjdnlhco.exe 32 PID 2356 wrote to memory of 2452 2356 Fhikme32.exe 33 PID 2356 wrote to memory of 2452 2356 Fhikme32.exe 33 PID 2356 wrote to memory of 2452 2356 Fhikme32.exe 33 PID 2356 wrote to memory of 2452 2356 Fhikme32.exe 33 PID 2452 wrote to memory of 2416 2452 Fgohna32.exe 34 PID 2452 wrote to memory of 2416 2452 Fgohna32.exe 34 PID 2452 wrote to memory of 2416 2452 Fgohna32.exe 34 PID 2452 wrote to memory of 2416 2452 Fgohna32.exe 34 PID 2416 wrote to memory of 884 2416 Fkmqdpce.exe 35 PID 2416 wrote to memory of 884 2416 Fkmqdpce.exe 35 PID 2416 wrote to memory of 884 2416 Fkmqdpce.exe 35 PID 2416 wrote to memory of 884 2416 Fkmqdpce.exe 35 PID 884 wrote to memory of 2332 884 Ggcaiqhj.exe 36 PID 884 wrote to memory of 2332 884 Ggcaiqhj.exe 36 PID 884 wrote to memory of 2332 884 Ggcaiqhj.exe 36 PID 884 wrote to memory of 2332 884 Ggcaiqhj.exe 36 PID 2332 wrote to memory of 936 2332 Gcokiaji.exe 37 PID 2332 wrote to memory of 936 2332 Gcokiaji.exe 37 PID 2332 wrote to memory of 936 2332 Gcokiaji.exe 37 PID 2332 wrote to memory of 936 2332 Gcokiaji.exe 37 PID 936 wrote to memory of 768 936 Gjicfk32.exe 38 PID 936 wrote to memory of 768 936 Gjicfk32.exe 38 PID 936 wrote to memory of 768 936 Gjicfk32.exe 38 PID 936 wrote to memory of 768 936 Gjicfk32.exe 38 PID 768 wrote to memory of 1452 768 Hfpdkl32.exe 39 PID 768 wrote to memory of 1452 768 Hfpdkl32.exe 39 PID 768 wrote to memory of 1452 768 Hfpdkl32.exe 39 PID 768 wrote to memory of 1452 768 Hfpdkl32.exe 39 PID 1452 wrote to memory of 1972 1452 Hnkion32.exe 40 PID 1452 wrote to memory of 1972 1452 Hnkion32.exe 40 PID 1452 wrote to memory of 1972 1452 Hnkion32.exe 40 PID 1452 wrote to memory of 1972 1452 Hnkion32.exe 40 PID 1972 wrote to memory of 1560 1972 Hipmmg32.exe 41 PID 1972 wrote to memory of 1560 1972 Hipmmg32.exe 41 PID 1972 wrote to memory of 1560 1972 Hipmmg32.exe 41 PID 1972 wrote to memory of 1560 1972 Hipmmg32.exe 41 PID 1560 wrote to memory of 1148 1560 Halbai32.exe 42 PID 1560 wrote to memory of 1148 1560 Halbai32.exe 42 PID 1560 wrote to memory of 1148 1560 Halbai32.exe 42 PID 1560 wrote to memory of 1148 1560 Halbai32.exe 42 PID 1148 wrote to memory of 2916 1148 Hlafnbal.exe 43 PID 1148 wrote to memory of 2916 1148 Hlafnbal.exe 43 PID 1148 wrote to memory of 2916 1148 Hlafnbal.exe 43 PID 1148 wrote to memory of 2916 1148 Hlafnbal.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe36⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe37⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe38⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe39⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe40⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe41⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe42⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe44⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe45⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe46⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe49⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe50⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe51⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe53⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe54⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe55⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe56⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe57⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe60⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe62⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe63⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe64⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe65⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe66⤵PID:2672
-
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe67⤵PID:476
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe68⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe69⤵PID:2408
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe70⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe71⤵PID:1176
-
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe72⤵PID:2108
-
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe73⤵PID:2868
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe74⤵PID:2580
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe75⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe76⤵PID:2392
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe77⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe78⤵PID:1744
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe79⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe81⤵PID:1768
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe82⤵PID:2168
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe83⤵PID:1912
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe84⤵PID:1080
-
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe85⤵PID:1808
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe87⤵PID:1664
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe88⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe89⤵PID:2028
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe90⤵PID:988
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe91⤵PID:3024
-
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe92⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe93⤵PID:2456
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe94⤵PID:2376
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe95⤵PID:2516
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe96⤵PID:1472
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe97⤵
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe98⤵PID:2780
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe99⤵PID:800
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe100⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe101⤵
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe102⤵PID:1624
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe103⤵PID:2908
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe104⤵PID:904
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1880 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe108⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe110⤵PID:1180
-
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe111⤵PID:2700
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe113⤵PID:1672
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe114⤵PID:2008
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe115⤵PID:572
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe116⤵PID:1996
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe117⤵PID:1756
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe118⤵PID:2900
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe119⤵PID:1908
-
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe120⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe121⤵PID:1820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-