Analysis
-
max time kernel
147s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 13:43
Behavioral task
behavioral1
Sample
175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe
-
Size
548KB
-
MD5
175098f4a67beb75c0533a1d44a13a60
-
SHA1
f147883f90203f5e9d1a63c3a10bb40558785dad
-
SHA256
84ae7320a4918d4b3696606cc1ebb87ec8b279f5151b3183d45a0f52c973c4f0
-
SHA512
6f2e84e70b66599a9bdc779d753f2d5b97524ef71b984c6bac777525b51416240b2163016e919403c5eaf9d5ef1f2a5e308efad5df835e4addd1e32a34faa241
-
SSDEEP
12288:o3Jvy2NLt74vj6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:oZNxMq5htaSHFaZRBEYyqmaf2qwiHPKu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fplllkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flabdecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jelhmlgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcekfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbnbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lopfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figocipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imacijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiongbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpgfbom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhehpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnbpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnmgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdjno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acekjjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emgkhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoompl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhdcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbidne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgoff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbojmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkkbjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcbnpgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhbold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohelidp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daofpchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjddgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fopnpaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpgfbom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijiaabk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinqgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbfepmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblkoham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oococb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgingm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maanab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngeljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmlfmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllaopcg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b00000001560a-5.dat family_berbew behavioral1/files/0x0009000000015c69-26.dat family_berbew behavioral1/files/0x0007000000015c87-44.dat family_berbew behavioral1/files/0x00080000000165ae-49.dat family_berbew behavioral1/files/0x0010000000015c3c-63.dat family_berbew behavioral1/files/0x0006000000018ae2-80.dat family_berbew behavioral1/files/0x0006000000018b15-97.dat family_berbew behavioral1/files/0x0006000000018b37-113.dat family_berbew behavioral1/files/0x0006000000018b4a-122.dat family_berbew behavioral1/files/0x0006000000018b73-139.dat family_berbew behavioral1/files/0x0006000000018ba2-145.dat family_berbew behavioral1/files/0x00050000000192c9-159.dat family_berbew behavioral1/files/0x000500000001931b-177.dat family_berbew behavioral1/files/0x0005000000019368-195.dat family_berbew behavioral1/files/0x000500000001939b-200.dat family_berbew behavioral1/files/0x0005000000019410-216.dat family_berbew behavioral1/files/0x000500000001946f-230.dat family_berbew behavioral1/files/0x0005000000019485-242.dat family_berbew behavioral1/files/0x00040000000194d6-252.dat family_berbew behavioral1/files/0x00040000000194dc-261.dat family_berbew behavioral1/memory/2036-282-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew behavioral1/memory/908-293-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew behavioral1/files/0x00050000000194f4-292.dat family_berbew behavioral1/files/0x00050000000194ef-281.dat family_berbew behavioral1/files/0x00050000000195a9-357.dat family_berbew behavioral1/memory/2540-364-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew behavioral1/files/0x00050000000195ba-367.dat family_berbew behavioral1/files/0x0005000000019646-377.dat family_berbew behavioral1/memory/2500-391-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew behavioral1/files/0x000500000001996e-388.dat family_berbew behavioral1/files/0x0005000000019bd7-399.dat family_berbew behavioral1/files/0x0005000000019f60-443.dat family_berbew behavioral1/files/0x000500000001a3c2-477.dat family_berbew behavioral1/files/0x000500000001a3c8-485.dat family_berbew behavioral1/files/0x000500000001a3d4-500.dat family_berbew behavioral1/files/0x000500000001a429-510.dat family_berbew behavioral1/files/0x000500000001a431-522.dat family_berbew behavioral1/files/0x000500000001a443-545.dat family_berbew behavioral1/files/0x000500000001a447-553.dat family_berbew behavioral1/files/0x000500000001a43b-534.dat family_berbew behavioral1/files/0x000500000001a44f-575.dat family_berbew behavioral1/files/0x000500000001a44b-564.dat family_berbew behavioral1/files/0x000500000001a453-584.dat family_berbew behavioral1/files/0x000500000001a457-597.dat family_berbew behavioral1/files/0x000500000001a45b-609.dat family_berbew behavioral1/files/0x000500000001a45f-620.dat family_berbew behavioral1/files/0x000500000001a2d0-465.dat family_berbew behavioral1/memory/1992-462-0x00000000005D0000-0x0000000000603000-memory.dmp family_berbew behavioral1/files/0x000500000001a013-454.dat family_berbew behavioral1/files/0x000500000001a463-631.dat family_berbew behavioral1/files/0x000500000001a467-640.dat family_berbew behavioral1/memory/1364-436-0x0000000000310000-0x0000000000343000-memory.dmp family_berbew behavioral1/files/0x0005000000019d59-434.dat family_berbew behavioral1/files/0x0005000000019ce6-421.dat family_berbew behavioral1/files/0x000500000001a46c-652.dat family_berbew behavioral1/files/0x0005000000019bef-410.dat family_berbew behavioral1/files/0x000500000001a470-660.dat family_berbew behavioral1/memory/2344-403-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew behavioral1/files/0x000500000001a474-671.dat family_berbew behavioral1/files/0x000500000001a479-680.dat family_berbew behavioral1/files/0x000500000001a47d-689.dat family_berbew behavioral1/files/0x00050000000195a7-345.dat family_berbew behavioral1/files/0x000500000001a484-703.dat family_berbew behavioral1/files/0x00050000000195a4-334.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2704 Pddnnp32.exe 2460 Phbgcnig.exe 2572 Afajafoa.exe 2680 Acekjjmk.exe 2604 Badnhbce.exe 2856 Bmnlbcfg.exe 528 Blchcpko.exe 2188 Bpqain32.exe 2792 Cllkin32.exe 3012 Cheido32.exe 2000 Danmmd32.exe 1924 Dllhhaep.exe 2588 Daipqhdg.exe 1772 Eoompl32.exe 2064 Ejkkfjkj.exe 2124 Fkejcq32.exe 1472 Fhikme32.exe 1668 Fqglggcp.exe 1488 Gjdjklek.exe 1612 Giiglhjb.exe 2036 Gpelnb32.exe 908 Hinqgg32.exe 2748 Hbfepmmn.exe 1752 Hbknkl32.exe 708 Hhhgcc32.exe 2092 Hmeolj32.exe 2688 Hfmddp32.exe 2540 Iabhah32.exe 2564 Ibfaopoi.exe 2712 Imleli32.exe 2500 Ibhndp32.exe 2344 Iplnnd32.exe 1884 Jodhdp32.exe 1904 Jdaqmg32.exe 1364 Jniefm32.exe 1284 Jdejhfig.exe 1992 Jplkmgol.exe 2684 Jlckbh32.exe 1980 Knbhlkkc.exe 2636 Kcopdb32.exe 2288 Klhemhpk.exe 2248 Kfpifm32.exe 2140 Kcdjoaee.exe 2428 Khabghdl.exe 1544 Kfebambf.exe 1156 Lkakicam.exe 1120 Lblcfnhj.exe 2100 Lneaqn32.exe 1716 Ldoimh32.exe 880 Lmjnak32.exe 3036 Lgoboc32.exe 2116 Lmljgj32.exe 960 Mfdopp32.exe 2520 Mnbpjb32.exe 2120 Mihdgkpp.exe 2380 Mijamjnm.exe 2716 Mbbfep32.exe 556 Mhonngce.exe 1112 Mnifja32.exe 2816 Njpgpbpf.exe 2804 Nhdhif32.exe 2600 Nlfmbibo.exe 636 Nfkapb32.exe 2272 Noffdd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2300 175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe 2300 175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe 2704 Pddnnp32.exe 2704 Pddnnp32.exe 2460 Phbgcnig.exe 2460 Phbgcnig.exe 2572 Afajafoa.exe 2572 Afajafoa.exe 2680 Acekjjmk.exe 2680 Acekjjmk.exe 2604 Badnhbce.exe 2604 Badnhbce.exe 2856 Bmnlbcfg.exe 2856 Bmnlbcfg.exe 528 Blchcpko.exe 528 Blchcpko.exe 2188 Bpqain32.exe 2188 Bpqain32.exe 2792 Cllkin32.exe 2792 Cllkin32.exe 3012 Cheido32.exe 3012 Cheido32.exe 2000 Danmmd32.exe 2000 Danmmd32.exe 1924 Dllhhaep.exe 1924 Dllhhaep.exe 2588 Daipqhdg.exe 2588 Daipqhdg.exe 1772 Eoompl32.exe 1772 Eoompl32.exe 2064 Ejkkfjkj.exe 2064 Ejkkfjkj.exe 2124 Fkejcq32.exe 2124 Fkejcq32.exe 1472 Fhikme32.exe 1472 Fhikme32.exe 1668 Fqglggcp.exe 1668 Fqglggcp.exe 1488 Gjdjklek.exe 1488 Gjdjklek.exe 1612 Giiglhjb.exe 1612 Giiglhjb.exe 2036 Gpelnb32.exe 2036 Gpelnb32.exe 908 Hinqgg32.exe 908 Hinqgg32.exe 2748 Hbfepmmn.exe 2748 Hbfepmmn.exe 1752 Hbknkl32.exe 1752 Hbknkl32.exe 708 Hhhgcc32.exe 708 Hhhgcc32.exe 2092 Hmeolj32.exe 2092 Hmeolj32.exe 2688 Hfmddp32.exe 2688 Hfmddp32.exe 2540 Iabhah32.exe 2540 Iabhah32.exe 2564 Ibfaopoi.exe 2564 Ibfaopoi.exe 2712 Imleli32.exe 2712 Imleli32.exe 2500 Ibhndp32.exe 2500 Ibhndp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lopfhk32.exe Lgingm32.exe File created C:\Windows\SysWOW64\Folhgbid.exe Fhbpkh32.exe File created C:\Windows\SysWOW64\Dhfnel32.dll Kfpifm32.exe File created C:\Windows\SysWOW64\Mkhngh32.dll Pnchhllf.exe File created C:\Windows\SysWOW64\Canhhi32.dll Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Ibhndp32.exe Imleli32.exe File created C:\Windows\SysWOW64\Jhogdg32.dll Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Pgibdjln.exe Ockinl32.exe File created C:\Windows\SysWOW64\Fllaopcg.exe Efoifiep.exe File opened for modification C:\Windows\SysWOW64\Kcdjoaee.exe Kfpifm32.exe File created C:\Windows\SysWOW64\Kfebambf.exe Khabghdl.exe File opened for modification C:\Windows\SysWOW64\Mfdopp32.exe Lmljgj32.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Ceebklai.exe File created C:\Windows\SysWOW64\Hgeelf32.exe Honnki32.exe File opened for modification C:\Windows\SysWOW64\Halcmn32.exe Hdhbci32.exe File created C:\Windows\SysWOW64\Nckmpicl.exe Ngeljh32.exe File opened for modification C:\Windows\SysWOW64\Oeckfndj.exe Ohojmjep.exe File opened for modification C:\Windows\SysWOW64\Igpaec32.exe Igmepdbc.exe File opened for modification C:\Windows\SysWOW64\Iabhah32.exe Hfmddp32.exe File created C:\Windows\SysWOW64\Qilcoj32.dll Pllkpn32.exe File created C:\Windows\SysWOW64\Kgdcgk32.dll Decdmi32.exe File opened for modification C:\Windows\SysWOW64\Bmnlbcfg.exe Badnhbce.exe File opened for modification C:\Windows\SysWOW64\Loefnpnn.exe Ldpbpgoh.exe File created C:\Windows\SysWOW64\Qbnphngk.exe Qkghgpfi.exe File created C:\Windows\SysWOW64\Bmbhcoif.dll Agpeaa32.exe File opened for modification C:\Windows\SysWOW64\Lghgmg32.exe Llbconkd.exe File opened for modification C:\Windows\SysWOW64\Ddmchcnd.exe Dhgccbhp.exe File created C:\Windows\SysWOW64\Ofkggbgh.dll Jdflqo32.exe File opened for modification C:\Windows\SysWOW64\Mdmkoepk.exe Mjcjog32.exe File created C:\Windows\SysWOW64\Kbjbge32.exe Jhenjmbb.exe File created C:\Windows\SysWOW64\Khnapkjg.exe Khldkllj.exe File created C:\Windows\SysWOW64\Cdgjcl32.dll Ealahi32.exe File created C:\Windows\SysWOW64\Jandaf32.dll Ggfbpaeo.exe File created C:\Windows\SysWOW64\Ggklka32.exe Geloanjg.exe File created C:\Windows\SysWOW64\Onndkg32.dll Fllaopcg.exe File created C:\Windows\SysWOW64\Iidobe32.dll Pbagipfi.exe File created C:\Windows\SysWOW64\Ggdcbi32.exe Gagkjbaf.exe File created C:\Windows\SysWOW64\Hmjofl32.dll Ohfcfb32.exe File opened for modification C:\Windows\SysWOW64\Jcqlkjae.exe Jjhgbd32.exe File created C:\Windows\SysWOW64\Nddcimag.exe Nnjklb32.exe File created C:\Windows\SysWOW64\Cchlkipc.dll Gpelnb32.exe File created C:\Windows\SysWOW64\Mbbfep32.exe Mijamjnm.exe File created C:\Windows\SysWOW64\Cdchneko.exe Cfnkmi32.exe File created C:\Windows\SysWOW64\Ilkekm32.dll Ljigih32.exe File opened for modification C:\Windows\SysWOW64\Mihdgkpp.exe Mnbpjb32.exe File created C:\Windows\SysWOW64\Dfocegkg.dll Eiekpd32.exe File opened for modification C:\Windows\SysWOW64\Pdeqfhjd.exe Pljlbf32.exe File opened for modification C:\Windows\SysWOW64\Pgfjhcge.exe Pmmeon32.exe File created C:\Windows\SysWOW64\Ofqmcj32.exe Nlilqbgp.exe File created C:\Windows\SysWOW64\Kabgha32.dll Dnfhqi32.exe File created C:\Windows\SysWOW64\Gloiniaa.dll Lmjnak32.exe File created C:\Windows\SysWOW64\Afajafoa.exe Phbgcnig.exe File created C:\Windows\SysWOW64\Dkdmfe32.exe Difqji32.exe File opened for modification C:\Windows\SysWOW64\Mcodqkbi.exe Mnblhddb.exe File created C:\Windows\SysWOW64\Imjjki32.dll Keango32.exe File created C:\Windows\SysWOW64\Imcplf32.dll Aocbokia.exe File created C:\Windows\SysWOW64\Jclcfm32.dll Gblkoham.exe File created C:\Windows\SysWOW64\Giolnomh.exe Ggapbcne.exe File created C:\Windows\SysWOW64\Hdbcmcno.dll Qmenhe32.exe File created C:\Windows\SysWOW64\Nelafe32.dll Bhdjno32.exe File created C:\Windows\SysWOW64\Bljbql32.dll Pciddedl.exe File created C:\Windows\SysWOW64\Hbmmlqlp.dll Lgingm32.exe File created C:\Windows\SysWOW64\Ooffgmde.dll Pddjlb32.exe File created C:\Windows\SysWOW64\Fgocmc32.exe Fppaej32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1628 2100 WerFault.exe 603 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goejop32.dll" Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkqhaf.dll" Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbghhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gceailog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jagpdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dghjkpck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhhge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heqimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhikme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdoljh32.dll" Iabhah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknajh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goldfelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idohdhbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejkkfjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpbcccn.dll" Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll" Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll" Andgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neplhe32.dll" Pbglpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Neiaeiii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imgnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dehdbhgg.dll" Hkmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhfkihon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epilaieh.dll" Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqgjdbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmlce32.dll" Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcggbimn.dll" Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdqap32.dll" Ecfnmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcjaeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcdjoaee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icncgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfjhebe.dll" Mndhnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll" Ejcofica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kalipcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onfabgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbokp32.dll" Figocipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmaed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afajafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdbgcli.dll" 175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cheido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mijamjnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfmbibo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qododfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfamoi32.dll" Dldkmlhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpppjbad.dll" Onfabgch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aifjgdkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll" Pmpbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaephc32.dll" Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adiijqhm.dll" Ppddpd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2704 2300 175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe 28 PID 2300 wrote to memory of 2704 2300 175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe 28 PID 2300 wrote to memory of 2704 2300 175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe 28 PID 2300 wrote to memory of 2704 2300 175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe 28 PID 2704 wrote to memory of 2460 2704 Pddnnp32.exe 29 PID 2704 wrote to memory of 2460 2704 Pddnnp32.exe 29 PID 2704 wrote to memory of 2460 2704 Pddnnp32.exe 29 PID 2704 wrote to memory of 2460 2704 Pddnnp32.exe 29 PID 2460 wrote to memory of 2572 2460 Phbgcnig.exe 30 PID 2460 wrote to memory of 2572 2460 Phbgcnig.exe 30 PID 2460 wrote to memory of 2572 2460 Phbgcnig.exe 30 PID 2460 wrote to memory of 2572 2460 Phbgcnig.exe 30 PID 2572 wrote to memory of 2680 2572 Afajafoa.exe 31 PID 2572 wrote to memory of 2680 2572 Afajafoa.exe 31 PID 2572 wrote to memory of 2680 2572 Afajafoa.exe 31 PID 2572 wrote to memory of 2680 2572 Afajafoa.exe 31 PID 2680 wrote to memory of 2604 2680 Acekjjmk.exe 32 PID 2680 wrote to memory of 2604 2680 Acekjjmk.exe 32 PID 2680 wrote to memory of 2604 2680 Acekjjmk.exe 32 PID 2680 wrote to memory of 2604 2680 Acekjjmk.exe 32 PID 2604 wrote to memory of 2856 2604 Badnhbce.exe 33 PID 2604 wrote to memory of 2856 2604 Badnhbce.exe 33 PID 2604 wrote to memory of 2856 2604 Badnhbce.exe 33 PID 2604 wrote to memory of 2856 2604 Badnhbce.exe 33 PID 2856 wrote to memory of 528 2856 Bmnlbcfg.exe 34 PID 2856 wrote to memory of 528 2856 Bmnlbcfg.exe 34 PID 2856 wrote to memory of 528 2856 Bmnlbcfg.exe 34 PID 2856 wrote to memory of 528 2856 Bmnlbcfg.exe 34 PID 528 wrote to memory of 2188 528 Blchcpko.exe 35 PID 528 wrote to memory of 2188 528 Blchcpko.exe 35 PID 528 wrote to memory of 2188 528 Blchcpko.exe 35 PID 528 wrote to memory of 2188 528 Blchcpko.exe 35 PID 2188 wrote to memory of 2792 2188 Bpqain32.exe 36 PID 2188 wrote to memory of 2792 2188 Bpqain32.exe 36 PID 2188 wrote to memory of 2792 2188 Bpqain32.exe 36 PID 2188 wrote to memory of 2792 2188 Bpqain32.exe 36 PID 2792 wrote to memory of 3012 2792 Cllkin32.exe 37 PID 2792 wrote to memory of 3012 2792 Cllkin32.exe 37 PID 2792 wrote to memory of 3012 2792 Cllkin32.exe 37 PID 2792 wrote to memory of 3012 2792 Cllkin32.exe 37 PID 3012 wrote to memory of 2000 3012 Cheido32.exe 38 PID 3012 wrote to memory of 2000 3012 Cheido32.exe 38 PID 3012 wrote to memory of 2000 3012 Cheido32.exe 38 PID 3012 wrote to memory of 2000 3012 Cheido32.exe 38 PID 2000 wrote to memory of 1924 2000 Danmmd32.exe 39 PID 2000 wrote to memory of 1924 2000 Danmmd32.exe 39 PID 2000 wrote to memory of 1924 2000 Danmmd32.exe 39 PID 2000 wrote to memory of 1924 2000 Danmmd32.exe 39 PID 1924 wrote to memory of 2588 1924 Dllhhaep.exe 40 PID 1924 wrote to memory of 2588 1924 Dllhhaep.exe 40 PID 1924 wrote to memory of 2588 1924 Dllhhaep.exe 40 PID 1924 wrote to memory of 2588 1924 Dllhhaep.exe 40 PID 2588 wrote to memory of 1772 2588 Daipqhdg.exe 41 PID 2588 wrote to memory of 1772 2588 Daipqhdg.exe 41 PID 2588 wrote to memory of 1772 2588 Daipqhdg.exe 41 PID 2588 wrote to memory of 1772 2588 Daipqhdg.exe 41 PID 1772 wrote to memory of 2064 1772 Eoompl32.exe 42 PID 1772 wrote to memory of 2064 1772 Eoompl32.exe 42 PID 1772 wrote to memory of 2064 1772 Eoompl32.exe 42 PID 1772 wrote to memory of 2064 1772 Eoompl32.exe 42 PID 2064 wrote to memory of 2124 2064 Ejkkfjkj.exe 43 PID 2064 wrote to memory of 2124 2064 Ejkkfjkj.exe 43 PID 2064 wrote to memory of 2124 2064 Ejkkfjkj.exe 43 PID 2064 wrote to memory of 2124 2064 Ejkkfjkj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\175098f4a67beb75c0533a1d44a13a60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe33⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe34⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe35⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe36⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe37⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe38⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe39⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe40⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe41⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe42⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe46⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe47⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe48⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe50⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe52⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe54⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe56⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe58⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe59⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe60⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe61⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe62⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe64⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe65⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe66⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe67⤵PID:524
-
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe68⤵PID:2052
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe69⤵PID:2652
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe70⤵PID:864
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe71⤵PID:1740
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe72⤵PID:1464
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe73⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe74⤵PID:1936
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe75⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe76⤵PID:2356
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe77⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe78⤵PID:1608
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe79⤵PID:2096
-
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe80⤵PID:1116
-
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe81⤵PID:1648
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe82⤵PID:956
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe83⤵
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe84⤵PID:584
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe85⤵PID:2812
-
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe86⤵PID:1984
-
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe87⤵PID:1084
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe88⤵PID:2024
-
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe89⤵PID:1508
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe90⤵PID:1828
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe91⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe92⤵PID:804
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe93⤵PID:2620
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe94⤵PID:1704
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe95⤵PID:2348
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe96⤵PID:1236
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe98⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe99⤵PID:1976
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe100⤵PID:2932
-
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe101⤵PID:1140
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe102⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe103⤵PID:2252
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe104⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe105⤵PID:2744
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe106⤵PID:2944
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe107⤵PID:1532
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe108⤵PID:868
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe110⤵PID:2456
-
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe111⤵PID:1372
-
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe112⤵PID:1928
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe113⤵PID:1688
-
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe115⤵PID:2156
-
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe116⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe117⤵PID:2084
-
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe118⤵PID:2976
-
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe120⤵PID:2516
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe121⤵PID:2664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-