Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 11:17
Behavioral task
behavioral1
Sample
f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
f26f3f2c6000933752133575e0170740
-
SHA1
baa02d6827190c7360baf47602724d19d5ec3010
-
SHA256
8bc9ead11ae5f3c95082423dbb695726f4f852ff225bc14287e92281b5bfb27f
-
SHA512
2cd36bd51cbcf07fdcec81c1e373b134972a0005c655cab6cfd42c0235578496e6ee0edee4fdc04ce587e4af0cc7a26045ad0fc5e49c66677fa9afcad817af33
-
SSDEEP
24576:fZlFXPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oW2to:RlFnbazR0vKLXZ8to
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inqcif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhgdkjol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilqpdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illgimph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkomfjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coklgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhpdhcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jicgpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppkph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhhfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flgeqgog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpejeihi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apajlhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b000000015bb9-5.dat family_berbew behavioral1/files/0x0007000000015cdb-25.dat family_berbew behavioral1/files/0x0007000000015cf7-42.dat family_berbew behavioral1/files/0x0008000000015d6e-48.dat family_berbew behavioral1/files/0x0006000000016c7a-67.dat family_berbew behavioral1/files/0x0006000000016cc9-73.dat family_berbew behavioral1/files/0x0006000000016ced-88.dat family_berbew behavioral1/files/0x0006000000016cfe-112.dat family_berbew behavioral1/files/0x0006000000016d40-165.dat family_berbew behavioral1/files/0x0006000000017185-206.dat family_berbew behavioral1/files/0x000500000001938d-333.dat family_berbew behavioral1/files/0x0005000000019995-511.dat family_berbew behavioral1/files/0x000500000001a4aa-674.dat family_berbew behavioral1/files/0x000500000001a4cf-768.dat family_berbew behavioral1/files/0x000500000001c77c-948.dat family_berbew behavioral1/files/0x000500000001c8ba-1167.dat family_berbew behavioral1/files/0x000400000001c946-1226.dat family_berbew behavioral1/files/0x000400000001cb65-1317.dat family_berbew behavioral1/files/0x000400000001cb89-1346.dat family_berbew behavioral1/files/0x000400000001cbbf-1394.dat family_berbew behavioral1/files/0x000400000001cbe7-1439.dat family_berbew behavioral1/files/0x000400000001cc12-1482.dat family_berbew behavioral1/files/0x000400000001ccaa-1637.dat family_berbew behavioral1/files/0x000400000001d169-1814.dat family_berbew behavioral1/files/0x000400000001d3c2-1926.dat family_berbew behavioral1/files/0x000400000001d664-1998.dat family_berbew behavioral1/files/0x000400000001d9b0-2214.dat family_berbew behavioral1/files/0x000400000001d9cd-2270.dat family_berbew behavioral1/files/0x000400000001d9e5-2319.dat family_berbew behavioral1/files/0x000400000001da07-2375.dat family_berbew behavioral1/files/0x000400000001da46-2431.dat family_berbew behavioral1/files/0x000400000001daed-2575.dat family_berbew behavioral1/files/0x000400000001dbcf-2647.dat family_berbew behavioral1/files/0x000400000001dcc2-2831.dat family_berbew behavioral1/files/0x000400000001de4b-3072.dat family_berbew behavioral1/files/0x000400000001deca-3200.dat family_berbew behavioral1/files/0x000400000001e9bc-3753.dat family_berbew behavioral1/files/0x000300000001fdf1-3857.dat family_berbew behavioral1/files/0x00050000000201aa-4075.dat family_berbew behavioral1/files/0x00040000000204dd-4371.dat family_berbew behavioral1/files/0x00040000000205a3-4555.dat family_berbew behavioral1/files/0x000400000002062d-4668.dat family_berbew behavioral1/files/0x00040000000206ee-4780.dat family_berbew behavioral1/files/0x00030000000207ee-4884.dat family_berbew behavioral1/files/0x0003000000020830-5004.dat family_berbew behavioral1/files/0x000300000002086d-5076.dat family_berbew behavioral1/files/0x0003000000020867-5068.dat family_berbew behavioral1/files/0x0003000000020864-5062.dat family_berbew behavioral1/files/0x0003000000020861-5052.dat family_berbew behavioral1/files/0x0003000000020858-5044.dat family_berbew behavioral1/files/0x0003000000020854-5036.dat family_berbew behavioral1/files/0x000300000002084e-5028.dat family_berbew behavioral1/files/0x0003000000020849-5020.dat family_berbew behavioral1/files/0x0003000000020834-5012.dat family_berbew behavioral1/files/0x000300000002082e-4996.dat family_berbew behavioral1/files/0x000300000002082c-4988.dat family_berbew behavioral1/files/0x0003000000020828-4980.dat family_berbew behavioral1/files/0x0003000000020824-4972.dat family_berbew behavioral1/files/0x0003000000020820-4964.dat family_berbew behavioral1/files/0x000300000002081c-4956.dat family_berbew behavioral1/files/0x0003000000020819-4948.dat family_berbew behavioral1/files/0x0003000000020816-4940.dat family_berbew behavioral1/files/0x0003000000020810-4932.dat family_berbew behavioral1/files/0x000300000002080c-4924.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1724 Ofdcjm32.exe 2532 Oomhcbjp.exe 2512 Oenifh32.exe 1940 Ofpfnqjp.exe 2440 Peiljl32.exe 2468 Pmqdkj32.exe 356 Pfiidobe.exe 2568 Plfamfpm.exe 1604 Ahchbf32.exe 1236 Affhncfc.exe 2164 Ampqjm32.exe 2240 Adjigg32.exe 1896 Ajdadamj.exe 1644 Apajlhka.exe 580 Abpfhcje.exe 1772 Aiinen32.exe 3020 Alhjai32.exe 2100 Aoffmd32.exe 884 Afmonbqk.exe 968 Ailkjmpo.exe 240 Bpfcgg32.exe 2096 Bagpopmj.exe 2084 Bingpmnl.exe 1164 Blmdlhmp.exe 2948 Bokphdld.exe 2176 Bhcdaibd.exe 2968 Bkaqmeah.exe 2828 Balijo32.exe 2520 Bhfagipa.exe 2524 Bopicc32.exe 2916 Bhhnli32.exe 1740 Bnefdp32.exe 2592 Bpcbqk32.exe 2648 Ckignd32.exe 1836 Cljcelan.exe 2788 Cdakgibq.exe 2676 Cgpgce32.exe 2792 Cjndop32.exe 1384 Cllpkl32.exe 452 Coklgg32.exe 1692 Cgbdhd32.exe 376 Clomqk32.exe 2508 Cciemedf.exe 1864 Cjbmjplb.exe 2992 Claifkkf.exe 2296 Copfbfjj.exe 3024 Cfinoq32.exe 2400 Ckffgg32.exe 1976 Dflkdp32.exe 2944 Dkhcmgnl.exe 2644 Dqelenlc.exe 2416 Dkkpbgli.exe 2224 Dnilobkm.exe 560 Ddcdkl32.exe 1872 Dkmmhf32.exe 1224 Dmoipopd.exe 2312 Dqjepm32.exe 2276 Dgdmmgpj.exe 652 Djbiicon.exe 2908 Dqlafm32.exe 2736 Dgfjbgmh.exe 2156 Dfijnd32.exe 1932 Eihfjo32.exe 1908 Epaogi32.exe -
Loads dropped DLL 64 IoCs
pid Process 1924 f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe 1924 f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe 1724 Ofdcjm32.exe 1724 Ofdcjm32.exe 2532 Oomhcbjp.exe 2532 Oomhcbjp.exe 2512 Oenifh32.exe 2512 Oenifh32.exe 1940 Ofpfnqjp.exe 1940 Ofpfnqjp.exe 2440 Peiljl32.exe 2440 Peiljl32.exe 2468 Pmqdkj32.exe 2468 Pmqdkj32.exe 356 Pfiidobe.exe 356 Pfiidobe.exe 2568 Plfamfpm.exe 2568 Plfamfpm.exe 1604 Ahchbf32.exe 1604 Ahchbf32.exe 1236 Affhncfc.exe 1236 Affhncfc.exe 2164 Ampqjm32.exe 2164 Ampqjm32.exe 2240 Adjigg32.exe 2240 Adjigg32.exe 1896 Ajdadamj.exe 1896 Ajdadamj.exe 1644 Apajlhka.exe 1644 Apajlhka.exe 580 Abpfhcje.exe 580 Abpfhcje.exe 1772 Aiinen32.exe 1772 Aiinen32.exe 3020 Alhjai32.exe 3020 Alhjai32.exe 2100 Aoffmd32.exe 2100 Aoffmd32.exe 884 Afmonbqk.exe 884 Afmonbqk.exe 968 Ailkjmpo.exe 968 Ailkjmpo.exe 240 Bpfcgg32.exe 240 Bpfcgg32.exe 2096 Bagpopmj.exe 2096 Bagpopmj.exe 2084 Bingpmnl.exe 2084 Bingpmnl.exe 1164 Blmdlhmp.exe 1164 Blmdlhmp.exe 2948 Bokphdld.exe 2948 Bokphdld.exe 2176 Bhcdaibd.exe 2176 Bhcdaibd.exe 2968 Bkaqmeah.exe 2968 Bkaqmeah.exe 2828 Balijo32.exe 2828 Balijo32.exe 2520 Bhfagipa.exe 2520 Bhfagipa.exe 2524 Bopicc32.exe 2524 Bopicc32.exe 2916 Bhhnli32.exe 2916 Bhhnli32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dnilobkm.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Jiakjb32.exe Jbgbni32.exe File opened for modification C:\Windows\SysWOW64\Eqdajkkb.exe Enfenplo.exe File created C:\Windows\SysWOW64\Giegfm32.dll Kbbngf32.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Oecbjjic.dll Globlmmj.exe File opened for modification C:\Windows\SysWOW64\Gfjhgdck.exe Gdllkhdg.exe File opened for modification C:\Windows\SysWOW64\Lcfqkl32.exe Llohjo32.exe File created C:\Windows\SysWOW64\Efjcibje.dll Enkece32.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Iknnbklc.exe File created C:\Windows\SysWOW64\Ifcbodli.exe Inljnfkg.exe File opened for modification C:\Windows\SysWOW64\Ngpolo32.exe Nceclqan.exe File created C:\Windows\SysWOW64\Kcakaipc.exe Kkjcplpa.exe File created C:\Windows\SysWOW64\Aefeijle.exe Anlmmp32.exe File created C:\Windows\SysWOW64\Abkphdmd.dll Edkcojga.exe File created C:\Windows\SysWOW64\Elbepj32.dll Dmoipopd.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Eqijej32.exe Eibbcm32.exe File opened for modification C:\Windows\SysWOW64\Gpejeihi.exe Gmgninie.exe File created C:\Windows\SysWOW64\Bgpokk32.dll Pmqdkj32.exe File created C:\Windows\SysWOW64\Nhdlkdkg.exe Nefpnhlc.exe File opened for modification C:\Windows\SysWOW64\Lndohedg.exe Lfmffhde.exe File created C:\Windows\SysWOW64\Djmccf32.dll Idmhkpml.exe File created C:\Windows\SysWOW64\Dhcebp32.dll Jjjacf32.exe File created C:\Windows\SysWOW64\Heglio32.exe Hbhomd32.exe File opened for modification C:\Windows\SysWOW64\Hkfagfop.exe Hgjefg32.exe File opened for modification C:\Windows\SysWOW64\Meppiblm.exe Mmihhelk.exe File opened for modification C:\Windows\SysWOW64\Kjljhjkl.exe Kgnnln32.exe File created C:\Windows\SysWOW64\Mihiih32.exe Mgimmm32.exe File created C:\Windows\SysWOW64\Fgefik32.dll Ojcecjee.exe File created C:\Windows\SysWOW64\Fjongcbl.exe Fhqbkhch.exe File created C:\Windows\SysWOW64\Pjehnpjo.dll Gdllkhdg.exe File created C:\Windows\SysWOW64\Pecomlgc.dll Libicbma.exe File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Ldidkbpb.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Icdepo32.dll Gdjpeifj.exe File created C:\Windows\SysWOW64\Ijbdha32.exe Igchlf32.exe File opened for modification C:\Windows\SysWOW64\Dnilobkm.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Ecmkghcl.exe Epaogi32.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Goddhg32.exe File created C:\Windows\SysWOW64\Bcinmgng.dll Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Pmdjdh32.exe Pjenhm32.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Oegbkc32.dll Hgmalg32.exe File opened for modification C:\Windows\SysWOW64\Kegqdqbl.exe Kbidgeci.exe File created C:\Windows\SysWOW64\Njmggi32.dll Ejhlgaeh.exe File created C:\Windows\SysWOW64\Fibkpd32.dll Nkpegi32.exe File created C:\Windows\SysWOW64\Jfpjfeia.dll Djbiicon.exe File created C:\Windows\SysWOW64\Jmgogg32.dll Mdkqqa32.exe File created C:\Windows\SysWOW64\Dglpbbbg.exe Doehqead.exe File created C:\Windows\SysWOW64\Gmpgio32.exe Gffoldhp.exe File created C:\Windows\SysWOW64\Ggeiabkc.dll Ganpomec.exe File opened for modification C:\Windows\SysWOW64\Gfobbc32.exe Gbcfadgl.exe File created C:\Windows\SysWOW64\Heihnoph.exe Hanlnp32.exe File opened for modification C:\Windows\SysWOW64\Eiomkn32.exe Efppoc32.exe File opened for modification C:\Windows\SysWOW64\Kocbkk32.exe Kmefooki.exe File created C:\Windows\SysWOW64\Imbiaa32.dll Melfncqb.exe File created C:\Windows\SysWOW64\Dkcinege.dll Hoamgd32.exe File created C:\Windows\SysWOW64\Lqelfddi.dll Dlkepi32.exe File created C:\Windows\SysWOW64\Ganpomec.exe Gifhnpea.exe File opened for modification C:\Windows\SysWOW64\Igonafba.exe Hdqbekcm.exe File created C:\Windows\SysWOW64\Jepgqikf.dll Inngcfid.exe File created C:\Windows\SysWOW64\Feocmm32.dll Jiakjb32.exe File created C:\Windows\SysWOW64\Glgaok32.exe Gmdadnkh.exe -
Program crash 1 IoCs
pid pid_target Process 7088 6888 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeahel32.dll" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkng32.dll" Bfcampgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fekpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdehon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnipnaf.dll" Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmepigc.dll" Kjljhjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddnkn32.dll" Jbgkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cciemedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfekcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcefjgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcccl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilgb32.dll" Pjenhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najdnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpehocqo.dll" Heglio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkebie32.dll" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhaff32.dll" Peiljl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbdhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamimc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epaogi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgbni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdcdhpk.dll" Bingpmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcinege.dll" Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mholen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiabof32.dll" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfmihf.dll" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limilm32.dll" Kcfkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfgdhjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbjffad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoopae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnkib.dll" Pggbla32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 1724 1924 f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe 28 PID 1924 wrote to memory of 1724 1924 f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe 28 PID 1924 wrote to memory of 1724 1924 f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe 28 PID 1924 wrote to memory of 1724 1924 f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe 28 PID 1724 wrote to memory of 2532 1724 Ofdcjm32.exe 29 PID 1724 wrote to memory of 2532 1724 Ofdcjm32.exe 29 PID 1724 wrote to memory of 2532 1724 Ofdcjm32.exe 29 PID 1724 wrote to memory of 2532 1724 Ofdcjm32.exe 29 PID 2532 wrote to memory of 2512 2532 Oomhcbjp.exe 30 PID 2532 wrote to memory of 2512 2532 Oomhcbjp.exe 30 PID 2532 wrote to memory of 2512 2532 Oomhcbjp.exe 30 PID 2532 wrote to memory of 2512 2532 Oomhcbjp.exe 30 PID 2512 wrote to memory of 1940 2512 Oenifh32.exe 31 PID 2512 wrote to memory of 1940 2512 Oenifh32.exe 31 PID 2512 wrote to memory of 1940 2512 Oenifh32.exe 31 PID 2512 wrote to memory of 1940 2512 Oenifh32.exe 31 PID 1940 wrote to memory of 2440 1940 Ofpfnqjp.exe 32 PID 1940 wrote to memory of 2440 1940 Ofpfnqjp.exe 32 PID 1940 wrote to memory of 2440 1940 Ofpfnqjp.exe 32 PID 1940 wrote to memory of 2440 1940 Ofpfnqjp.exe 32 PID 2440 wrote to memory of 2468 2440 Peiljl32.exe 33 PID 2440 wrote to memory of 2468 2440 Peiljl32.exe 33 PID 2440 wrote to memory of 2468 2440 Peiljl32.exe 33 PID 2440 wrote to memory of 2468 2440 Peiljl32.exe 33 PID 2468 wrote to memory of 356 2468 Pmqdkj32.exe 34 PID 2468 wrote to memory of 356 2468 Pmqdkj32.exe 34 PID 2468 wrote to memory of 356 2468 Pmqdkj32.exe 34 PID 2468 wrote to memory of 356 2468 Pmqdkj32.exe 34 PID 356 wrote to memory of 2568 356 Pfiidobe.exe 35 PID 356 wrote to memory of 2568 356 Pfiidobe.exe 35 PID 356 wrote to memory of 2568 356 Pfiidobe.exe 35 PID 356 wrote to memory of 2568 356 Pfiidobe.exe 35 PID 2568 wrote to memory of 1604 2568 Plfamfpm.exe 36 PID 2568 wrote to memory of 1604 2568 Plfamfpm.exe 36 PID 2568 wrote to memory of 1604 2568 Plfamfpm.exe 36 PID 2568 wrote to memory of 1604 2568 Plfamfpm.exe 36 PID 1604 wrote to memory of 1236 1604 Ahchbf32.exe 37 PID 1604 wrote to memory of 1236 1604 Ahchbf32.exe 37 PID 1604 wrote to memory of 1236 1604 Ahchbf32.exe 37 PID 1604 wrote to memory of 1236 1604 Ahchbf32.exe 37 PID 1236 wrote to memory of 2164 1236 Affhncfc.exe 38 PID 1236 wrote to memory of 2164 1236 Affhncfc.exe 38 PID 1236 wrote to memory of 2164 1236 Affhncfc.exe 38 PID 1236 wrote to memory of 2164 1236 Affhncfc.exe 38 PID 2164 wrote to memory of 2240 2164 Ampqjm32.exe 39 PID 2164 wrote to memory of 2240 2164 Ampqjm32.exe 39 PID 2164 wrote to memory of 2240 2164 Ampqjm32.exe 39 PID 2164 wrote to memory of 2240 2164 Ampqjm32.exe 39 PID 2240 wrote to memory of 1896 2240 Adjigg32.exe 40 PID 2240 wrote to memory of 1896 2240 Adjigg32.exe 40 PID 2240 wrote to memory of 1896 2240 Adjigg32.exe 40 PID 2240 wrote to memory of 1896 2240 Adjigg32.exe 40 PID 1896 wrote to memory of 1644 1896 Ajdadamj.exe 41 PID 1896 wrote to memory of 1644 1896 Ajdadamj.exe 41 PID 1896 wrote to memory of 1644 1896 Ajdadamj.exe 41 PID 1896 wrote to memory of 1644 1896 Ajdadamj.exe 41 PID 1644 wrote to memory of 580 1644 Apajlhka.exe 42 PID 1644 wrote to memory of 580 1644 Apajlhka.exe 42 PID 1644 wrote to memory of 580 1644 Apajlhka.exe 42 PID 1644 wrote to memory of 580 1644 Apajlhka.exe 42 PID 580 wrote to memory of 1772 580 Abpfhcje.exe 43 PID 580 wrote to memory of 1772 580 Abpfhcje.exe 43 PID 580 wrote to memory of 1772 580 Abpfhcje.exe 43 PID 580 wrote to memory of 1772 580 Abpfhcje.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f26f3f2c6000933752133575e0170740_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:240 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe33⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe35⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe36⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe37⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe38⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe39⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe43⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe45⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe47⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe48⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe49⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe50⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe52⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe54⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe55⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe58⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe59⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe61⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe62⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe63⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe64⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe67⤵PID:2956
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe69⤵PID:2124
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe70⤵PID:2656
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe72⤵PID:1548
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe73⤵PID:1596
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe74⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe75⤵PID:592
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe76⤵PID:1664
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe77⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe78⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe79⤵PID:2544
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe80⤵PID:2596
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe81⤵PID:2560
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe82⤵PID:2940
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe83⤵PID:2776
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe84⤵PID:3108
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe85⤵PID:3168
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe86⤵PID:3216
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe87⤵PID:3264
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe88⤵PID:3332
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe89⤵PID:3392
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe90⤵
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe91⤵PID:3508
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe92⤵PID:3564
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe93⤵PID:3616
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe94⤵PID:3684
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3736 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe96⤵PID:3812
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3864 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe98⤵PID:3928
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe99⤵PID:3980
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe101⤵PID:4080
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe102⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe103⤵PID:1852
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe104⤵PID:2004
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe105⤵PID:1160
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe106⤵PID:2680
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe108⤵PID:2744
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe109⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe110⤵PID:3240
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe111⤵PID:3096
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe112⤵PID:2896
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe113⤵
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3292 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe115⤵PID:3476
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe116⤵
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe117⤵PID:3592
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe118⤵PID:3556
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe119⤵PID:3652
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe120⤵PID:3720
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-