Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 23:15
Behavioral task
behavioral1
Sample
091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe
-
Size
161KB
-
MD5
091a253dc2e199661855b39fd9c6ab70
-
SHA1
98011a41c732d0b772b46b03145639f4687c69f7
-
SHA256
fa77164de2d7bdd01847ac14610df03ab5b731483ce3686ca95b11598e289ace
-
SHA512
ea9835532d759ebaf1849f28b0fe0ed328bdb9864f6bff1bf8d89b6cf0ed0be8540ec066341f548b44a2559b0899eeca85903b98255b28f523ee9304a4edc855
-
SSDEEP
3072:Wb7gOo4BDQ6Zh3hrW8jgBkCVwtCJXeex7rrIRZK8K8/kvV:WcO9Zh3pW4gBkCVwtmeetrIyRV
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ekelld32.exeEbodiofk.exeEdnpej32.exeOcnfbo32.exePnajilng.exeDlkepi32.exeOjahnj32.exeCojema32.exeBghabf32.exeQlkdkd32.exeOenifh32.exeChemfl32.exeKjjmbj32.exeKbqecg32.exePclfkc32.exeNajdnj32.exeOkgnab32.exePiblek32.exeHicodd32.exeKfegbj32.exeIcpigm32.exeJfekcg32.exeMlibjc32.exeAadloj32.exeEbmgcohn.exeAhchbf32.exeAjbdna32.exeEjmebq32.exeHhmepp32.exeAaobdjof.exeCohigamf.exeCfgaiaci.exeMlmlecec.exeNdbcpd32.exeLkppbl32.exeOikojfgk.exeDhnmij32.exeAfiecb32.exeLfjqnjkh.exeDmafennb.exeLihmjejl.exeCdakgibq.exeJcdbbloa.exeDfmdho32.exeLlkbap32.exeBifgdk32.exeDndlim32.exeBdhhqk32.exeEgamfkdh.exeOgblbo32.exeAemkjiem.exeAoepcn32.exeEfaibbij.exeOmbapedi.exeCgcmlcja.exeEdpmjj32.exeCfeddafl.exeHejoiedd.exeIcmlam32.exePikkiijf.exeBpgljfbl.exeCpeofk32.exeDdeaalpg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebodiofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnajilng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkepi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclfkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najdnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piblek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlibjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebmgcohn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahchbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaobdjof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohigamf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiecb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lihmjejl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgcmlcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icmlam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkiijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpeofk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Okalbc32.exe family_berbew C:\Windows\SysWOW64\Onphoo32.exe family_berbew \Windows\SysWOW64\Okchhc32.exe family_berbew \Windows\SysWOW64\Onbddoog.exe family_berbew \Windows\SysWOW64\Ocomlemo.exe family_berbew \Windows\SysWOW64\Ojieip32.exe family_berbew \Windows\SysWOW64\Oenifh32.exe family_berbew behavioral1/memory/2428-95-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew \Windows\SysWOW64\Ofpfnqjp.exe family_berbew behavioral1/memory/2468-110-0x0000000000270000-0x00000000002AF000-memory.dmp family_berbew behavioral1/memory/1832-102-0x0000000000440000-0x000000000047F000-memory.dmp family_berbew \Windows\SysWOW64\Pgobhcac.exe family_berbew \Windows\SysWOW64\Paggai32.exe family_berbew \Windows\SysWOW64\Piblek32.exe family_berbew \Windows\SysWOW64\Ppmdbe32.exe family_berbew \Windows\SysWOW64\Peiljl32.exe family_berbew behavioral1/memory/1420-183-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pmqdkj32.exe family_berbew \Windows\SysWOW64\Pelipl32.exe family_berbew \Windows\SysWOW64\Plfamfpm.exe family_berbew behavioral1/memory/2080-229-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew C:\Windows\SysWOW64\Pabjem32.exe family_berbew C:\Windows\SysWOW64\Qlhnbf32.exe family_berbew C:\Windows\SysWOW64\Qaefjm32.exe family_berbew behavioral1/memory/1420-263-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew C:\Windows\SysWOW64\Qdccfh32.exe family_berbew behavioral1/memory/1208-275-0x0000000000300000-0x000000000033F000-memory.dmp family_berbew C:\Windows\SysWOW64\Qecoqk32.exe family_berbew C:\Windows\SysWOW64\Ahakmf32.exe family_berbew C:\Windows\SysWOW64\Ankdiqih.exe family_berbew C:\Windows\SysWOW64\Aajpelhl.exe family_berbew C:\Windows\SysWOW64\Ahchbf32.exe family_berbew behavioral1/memory/1464-328-0x00000000002E0000-0x000000000031F000-memory.dmp family_berbew C:\Windows\SysWOW64\Ajbdna32.exe family_berbew C:\Windows\SysWOW64\Adjigg32.exe family_berbew behavioral1/memory/1712-357-0x0000000000270000-0x00000000002AF000-memory.dmp family_berbew behavioral1/memory/2812-361-0x00000000002B0000-0x00000000002EF000-memory.dmp family_berbew C:\Windows\SysWOW64\Afiecb32.exe family_berbew behavioral1/memory/1020-355-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew C:\Windows\SysWOW64\Alenki32.exe family_berbew C:\Windows\SysWOW64\Apajlhka.exe family_berbew C:\Windows\SysWOW64\Aenbdoii.exe family_berbew C:\Windows\SysWOW64\Aiinen32.exe family_berbew C:\Windows\SysWOW64\Apcfahio.exe family_berbew C:\Windows\SysWOW64\Aoffmd32.exe family_berbew C:\Windows\SysWOW64\Ahokfj32.exe family_berbew behavioral1/memory/2808-438-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew behavioral1/memory/2548-440-0x00000000002A0000-0x00000000002DF000-memory.dmp family_berbew C:\Windows\SysWOW64\Boiccdnf.exe family_berbew C:\Windows\SysWOW64\Bhahlj32.exe family_berbew C:\Windows\SysWOW64\Blmdlhmp.exe family_berbew C:\Windows\SysWOW64\Bbflib32.exe family_berbew C:\Windows\SysWOW64\Baildokg.exe family_berbew C:\Windows\SysWOW64\Bdhhqk32.exe family_berbew C:\Windows\SysWOW64\Bhcdaibd.exe family_berbew C:\Windows\SysWOW64\Bommnc32.exe family_berbew C:\Windows\SysWOW64\Balijo32.exe family_berbew C:\Windows\SysWOW64\Bdjefj32.exe family_berbew C:\Windows\SysWOW64\Bghabf32.exe family_berbew C:\Windows\SysWOW64\Bopicc32.exe family_berbew C:\Windows\SysWOW64\Banepo32.exe family_berbew C:\Windows\SysWOW64\Bhhnli32.exe family_berbew C:\Windows\SysWOW64\Bkfjhd32.exe family_berbew C:\Windows\SysWOW64\Bnefdp32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Okalbc32.exeOnphoo32.exeOkchhc32.exeOnbddoog.exeOcomlemo.exeOjieip32.exeOenifh32.exeOfpfnqjp.exePgobhcac.exePaggai32.exePiblek32.exePpmdbe32.exePeiljl32.exePmqdkj32.exePelipl32.exePlfamfpm.exePabjem32.exeQlhnbf32.exeQaefjm32.exeQdccfh32.exeQecoqk32.exeAhakmf32.exeAnkdiqih.exeAajpelhl.exeAhchbf32.exeAjbdna32.exeAdjigg32.exeAfiecb32.exeAlenki32.exeApajlhka.exeAenbdoii.exeAiinen32.exeApcfahio.exeAoffmd32.exeAhokfj32.exeBoiccdnf.exeBhahlj32.exeBlmdlhmp.exeBbflib32.exeBaildokg.exeBdhhqk32.exeBhcdaibd.exeBommnc32.exeBalijo32.exeBdjefj32.exeBghabf32.exeBopicc32.exeBanepo32.exeBhhnli32.exeBkfjhd32.exeBnefdp32.exeBaqbenep.exeBdooajdc.exeCgmkmecg.exeCjlgiqbk.exeCngcjo32.exeCpeofk32.exeCdakgibq.exeCfbhnaho.exeCllpkl32.exeCoklgg32.exeCcfhhffh.exeCfeddafl.exeChcqpmep.exepid process 1832 Okalbc32.exe 2468 Onphoo32.exe 2516 Okchhc32.exe 2592 Onbddoog.exe 2608 Ocomlemo.exe 2428 Ojieip32.exe 2904 Oenifh32.exe 2776 Ofpfnqjp.exe 2772 Pgobhcac.exe 764 Paggai32.exe 1452 Piblek32.exe 1420 Ppmdbe32.exe 1208 Peiljl32.exe 2176 Pmqdkj32.exe 2080 Pelipl32.exe 912 Plfamfpm.exe 1096 Pabjem32.exe 1464 Qlhnbf32.exe 948 Qaefjm32.exe 1020 Qdccfh32.exe 1712 Qecoqk32.exe 2076 Ahakmf32.exe 1672 Ankdiqih.exe 2276 Aajpelhl.exe 1496 Ahchbf32.exe 2812 Ajbdna32.exe 2556 Adjigg32.exe 2808 Afiecb32.exe 2152 Alenki32.exe 2396 Apajlhka.exe 2412 Aenbdoii.exe 2408 Aiinen32.exe 2540 Apcfahio.exe 2548 Aoffmd32.exe 1556 Ahokfj32.exe 1504 Boiccdnf.exe 1852 Bhahlj32.exe 1436 Blmdlhmp.exe 2940 Bbflib32.exe 2200 Baildokg.exe 2216 Bdhhqk32.exe 1236 Bhcdaibd.exe 1400 Bommnc32.exe 1248 Balijo32.exe 1312 Bdjefj32.exe 280 Bghabf32.exe 2864 Bopicc32.exe 2212 Banepo32.exe 2952 Bhhnli32.exe 2444 Bkfjhd32.exe 2572 Bnefdp32.exe 2488 Baqbenep.exe 3004 Bdooajdc.exe 2892 Cgmkmecg.exe 1572 Cjlgiqbk.exe 2688 Cngcjo32.exe 2732 Cpeofk32.exe 1620 Cdakgibq.exe 768 Cfbhnaho.exe 2648 Cllpkl32.exe 1264 Coklgg32.exe 2188 Ccfhhffh.exe 2220 Cfeddafl.exe 732 Chcqpmep.exe -
Loads dropped DLL 64 IoCs
Processes:
091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exeOkalbc32.exeOnphoo32.exeOkchhc32.exeOnbddoog.exeOcomlemo.exeOjieip32.exeOenifh32.exeOfpfnqjp.exePgobhcac.exePaggai32.exePiblek32.exePpmdbe32.exePeiljl32.exePmqdkj32.exePelipl32.exePlfamfpm.exePabjem32.exeQlhnbf32.exeQaefjm32.exeQdccfh32.exeQecoqk32.exeAhakmf32.exeAnkdiqih.exeAajpelhl.exeAhchbf32.exeAjbdna32.exeAdjigg32.exeAfiecb32.exeAlenki32.exeApajlhka.exeAenbdoii.exepid process 2108 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe 2108 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe 1832 Okalbc32.exe 1832 Okalbc32.exe 2468 Onphoo32.exe 2468 Onphoo32.exe 2516 Okchhc32.exe 2516 Okchhc32.exe 2592 Onbddoog.exe 2592 Onbddoog.exe 2608 Ocomlemo.exe 2608 Ocomlemo.exe 2428 Ojieip32.exe 2428 Ojieip32.exe 2904 Oenifh32.exe 2904 Oenifh32.exe 2776 Ofpfnqjp.exe 2776 Ofpfnqjp.exe 2772 Pgobhcac.exe 2772 Pgobhcac.exe 764 Paggai32.exe 764 Paggai32.exe 1452 Piblek32.exe 1452 Piblek32.exe 1420 Ppmdbe32.exe 1420 Ppmdbe32.exe 1208 Peiljl32.exe 1208 Peiljl32.exe 2176 Pmqdkj32.exe 2176 Pmqdkj32.exe 2080 Pelipl32.exe 2080 Pelipl32.exe 912 Plfamfpm.exe 912 Plfamfpm.exe 1096 Pabjem32.exe 1096 Pabjem32.exe 1464 Qlhnbf32.exe 1464 Qlhnbf32.exe 948 Qaefjm32.exe 948 Qaefjm32.exe 1020 Qdccfh32.exe 1020 Qdccfh32.exe 1712 Qecoqk32.exe 1712 Qecoqk32.exe 2076 Ahakmf32.exe 2076 Ahakmf32.exe 1672 Ankdiqih.exe 1672 Ankdiqih.exe 2276 Aajpelhl.exe 2276 Aajpelhl.exe 1496 Ahchbf32.exe 1496 Ahchbf32.exe 2812 Ajbdna32.exe 2812 Ajbdna32.exe 2556 Adjigg32.exe 2556 Adjigg32.exe 2808 Afiecb32.exe 2808 Afiecb32.exe 2152 Alenki32.exe 2152 Alenki32.exe 2396 Apajlhka.exe 2396 Apajlhka.exe 2412 Aenbdoii.exe 2412 Aenbdoii.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ojolhk32.exeBhahlj32.exeCfgaiaci.exeCckace32.exeGacpdbej.exeMmahdggc.exeNkbhgojk.exeNacgdhlp.exe091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exeEjbfhfaj.exeBafidiio.exeDbhnhp32.exeAenbdoii.exeDflkdp32.exeEjgcdb32.exeFhffaj32.exeQlkdkd32.exeCohigamf.exeDoehqead.exeDggcffhg.exePclfkc32.exePpmdbe32.exeDgdmmgpj.exeGbkgnfbd.exeGdopkn32.exeKkgmgmfd.exeMdpjlajk.exeObcccl32.exeAjhgmpfg.exeEojnkg32.exeEmnndlod.exeEcejkf32.exeGejcjbah.exeGphmeo32.exePgeefbhm.exeDndlim32.exeEmkaol32.exePmqdkj32.exeEeempocb.exeFjlhneio.exeNnennj32.exeCkjpacfp.exeDdagfm32.exeEbpkce32.exeGlaoalkh.exeGelppaof.exeGdamqndn.exeJoplbl32.exeNdpfkdmf.exeEdnpej32.exeBanepo32.exeLmolnh32.exeNlphkb32.exeOkikfagn.exeAaobdjof.exeEnakbp32.exeHhmepp32.exeBdgafdfp.exeJfcnngnd.exeJfghif32.exeMbpnanch.exedescription ioc process File created C:\Windows\SysWOW64\Nmlnnp32.dll Ojolhk32.exe File created C:\Windows\SysWOW64\Blmdlhmp.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Pheafa32.dll Cfgaiaci.exe File created C:\Windows\SysWOW64\Cbnbobin.exe Cckace32.exe File created C:\Windows\SysWOW64\Jondlhmp.dll Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Mppepcfg.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Nnmphi32.dll Nkbhgojk.exe File created C:\Windows\SysWOW64\Kjmbgl32.dll Nacgdhlp.exe File created C:\Windows\SysWOW64\Fiedkadc.dll 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ebinic32.exe Ejbfhfaj.exe File created C:\Windows\SysWOW64\Ligkin32.dll Bafidiio.exe File created C:\Windows\SysWOW64\Ddgjdk32.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Aiinen32.exe Aenbdoii.exe File created C:\Windows\SysWOW64\Ipdljffa.dll Dflkdp32.exe File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe Ejgcdb32.exe File created C:\Windows\SysWOW64\Dchfknpg.dll Fhffaj32.exe File opened for modification C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Dpiddoma.dll Cohigamf.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Doehqead.exe File created C:\Windows\SysWOW64\Dookgcij.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Obmhdd32.dll Pclfkc32.exe File created C:\Windows\SysWOW64\Kjcidhml.dll Ppmdbe32.exe File created C:\Windows\SysWOW64\Flcnijgi.dll Dgdmmgpj.exe File opened for modification C:\Windows\SysWOW64\Gejcjbah.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Ooghhh32.dll Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Kjjmbj32.exe Kkgmgmfd.exe File created C:\Windows\SysWOW64\Oqkmbmdg.dll Mdpjlajk.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Obcccl32.exe File created C:\Windows\SysWOW64\Amfcikek.exe Ajhgmpfg.exe File opened for modification C:\Windows\SysWOW64\Ecejkf32.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File created C:\Windows\SysWOW64\Efcfga32.exe Ecejkf32.exe File opened for modification C:\Windows\SysWOW64\Okalbc32.exe 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Ghhofmql.exe Gejcjbah.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gphmeo32.exe File created C:\Windows\SysWOW64\Pkpagq32.exe Pgeefbhm.exe File created C:\Windows\SysWOW64\Mfacfkje.dll Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Dfoqmo32.exe Doehqead.exe File created C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Ealffeej.dll Pmqdkj32.exe File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe Eeempocb.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fjlhneio.exe File opened for modification C:\Windows\SysWOW64\Npdjje32.exe Nnennj32.exe File created C:\Windows\SysWOW64\Ccahbp32.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Dgodbh32.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Njqaac32.dll Ebpkce32.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Glaoalkh.exe File created C:\Windows\SysWOW64\Gdopkn32.exe Gelppaof.exe File opened for modification C:\Windows\SysWOW64\Ghmiam32.exe Gdamqndn.exe File created C:\Windows\SysWOW64\Jjpdcc32.dll Joplbl32.exe File created C:\Windows\SysWOW64\Ngnbgplj.exe Ndpfkdmf.exe File created C:\Windows\SysWOW64\Ecqqpgli.exe Ednpej32.exe File opened for modification C:\Windows\SysWOW64\Bhhnli32.exe Banepo32.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Ngogde32.dll Nlphkb32.exe File opened for modification C:\Windows\SysWOW64\Ooeggp32.exe Okikfagn.exe File created C:\Windows\SysWOW64\Adnopfoj.exe Aaobdjof.exe File created C:\Windows\SysWOW64\Clialdph.dll Enakbp32.exe File created C:\Windows\SysWOW64\Lgeceh32.dll Cckace32.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Bfenbpec.exe Bdgafdfp.exe File created C:\Windows\SysWOW64\Maodqp32.dll Jfcnngnd.exe File created C:\Windows\SysWOW64\Klaoplan.dll Jfghif32.exe File opened for modification C:\Windows\SysWOW64\Mkgfckcj.exe Mbpnanch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5636 5612 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Kgbggnhc.exePnajilng.exePikkiijf.exeCndbcc32.exeHlfdkoin.exeJkbcln32.exeJoplbl32.exeObafnlpn.exeBoqbfb32.exeEfcfga32.exeEmnndlod.exeDgaqgh32.exeFjdbnf32.exeFhhcgj32.exeLlkbap32.exeJkpgfn32.exeLefdpe32.exeEfaibbij.exeKaklpcoc.exeLihmjejl.exePapfegmk.exeBhigphio.exeCllpkl32.exeDbbkja32.exeGlaoalkh.exeGejcjbah.exeAefeijle.exeOfpfnqjp.exeEbinic32.exeFfbicfoc.exeMhgmapfi.exeBidjnkdg.exeCgcmlcja.exeDojald32.exeBkfjhd32.exeFhffaj32.exeKihqkagp.exeKifpdelo.exeKfegbj32.exeNocnbmoo.exeDhjgal32.exeNajdnj32.exePmanoifd.exeCeaadk32.exeAajpelhl.exeEpieghdk.exeFejgko32.exeJfghif32.exeHiekid32.exeKcdnao32.exeOnbddoog.exeDjbiicon.exeGldkfl32.exeHgbebiao.exeClilkfnb.exeOenifh32.exeJjjacf32.exeOopnlacm.exePogclp32.exeFacdeo32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgbggnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnajilng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pikkiijf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdcc32.dll" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Fhhcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcefke32.dll" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoffcnl.dll" Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddjlc32.dll" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gejcjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aefeijle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffbicfoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keefji32.dll" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmnmlid.dll" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dojald32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkfjhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kihqkagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijmee32.dll" Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" Dhjgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll" Ceaadk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aajpelhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epieghdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klaoplan.dll" Jfghif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpnhgek.dll" Onbddoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obilnl32.dll" Clilkfnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjjacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oopnlacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pogclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Facdeo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exeOkalbc32.exeOnphoo32.exeOkchhc32.exeOnbddoog.exeOcomlemo.exeOjieip32.exeOenifh32.exeOfpfnqjp.exePgobhcac.exePaggai32.exePiblek32.exePpmdbe32.exePeiljl32.exePmqdkj32.exePelipl32.exedescription pid process target process PID 2108 wrote to memory of 1832 2108 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe Okalbc32.exe PID 2108 wrote to memory of 1832 2108 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe Okalbc32.exe PID 2108 wrote to memory of 1832 2108 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe Okalbc32.exe PID 2108 wrote to memory of 1832 2108 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe Okalbc32.exe PID 1832 wrote to memory of 2468 1832 Okalbc32.exe Onphoo32.exe PID 1832 wrote to memory of 2468 1832 Okalbc32.exe Onphoo32.exe PID 1832 wrote to memory of 2468 1832 Okalbc32.exe Onphoo32.exe PID 1832 wrote to memory of 2468 1832 Okalbc32.exe Onphoo32.exe PID 2468 wrote to memory of 2516 2468 Onphoo32.exe Okchhc32.exe PID 2468 wrote to memory of 2516 2468 Onphoo32.exe Okchhc32.exe PID 2468 wrote to memory of 2516 2468 Onphoo32.exe Okchhc32.exe PID 2468 wrote to memory of 2516 2468 Onphoo32.exe Okchhc32.exe PID 2516 wrote to memory of 2592 2516 Okchhc32.exe Onbddoog.exe PID 2516 wrote to memory of 2592 2516 Okchhc32.exe Onbddoog.exe PID 2516 wrote to memory of 2592 2516 Okchhc32.exe Onbddoog.exe PID 2516 wrote to memory of 2592 2516 Okchhc32.exe Onbddoog.exe PID 2592 wrote to memory of 2608 2592 Onbddoog.exe Ocomlemo.exe PID 2592 wrote to memory of 2608 2592 Onbddoog.exe Ocomlemo.exe PID 2592 wrote to memory of 2608 2592 Onbddoog.exe Ocomlemo.exe PID 2592 wrote to memory of 2608 2592 Onbddoog.exe Ocomlemo.exe PID 2608 wrote to memory of 2428 2608 Ocomlemo.exe Ojieip32.exe PID 2608 wrote to memory of 2428 2608 Ocomlemo.exe Ojieip32.exe PID 2608 wrote to memory of 2428 2608 Ocomlemo.exe Ojieip32.exe PID 2608 wrote to memory of 2428 2608 Ocomlemo.exe Ojieip32.exe PID 2428 wrote to memory of 2904 2428 Ojieip32.exe Oenifh32.exe PID 2428 wrote to memory of 2904 2428 Ojieip32.exe Oenifh32.exe PID 2428 wrote to memory of 2904 2428 Ojieip32.exe Oenifh32.exe PID 2428 wrote to memory of 2904 2428 Ojieip32.exe Oenifh32.exe PID 2904 wrote to memory of 2776 2904 Oenifh32.exe Ofpfnqjp.exe PID 2904 wrote to memory of 2776 2904 Oenifh32.exe Ofpfnqjp.exe PID 2904 wrote to memory of 2776 2904 Oenifh32.exe Ofpfnqjp.exe PID 2904 wrote to memory of 2776 2904 Oenifh32.exe Ofpfnqjp.exe PID 2776 wrote to memory of 2772 2776 Ofpfnqjp.exe Pgobhcac.exe PID 2776 wrote to memory of 2772 2776 Ofpfnqjp.exe Pgobhcac.exe PID 2776 wrote to memory of 2772 2776 Ofpfnqjp.exe Pgobhcac.exe PID 2776 wrote to memory of 2772 2776 Ofpfnqjp.exe Pgobhcac.exe PID 2772 wrote to memory of 764 2772 Pgobhcac.exe Paggai32.exe PID 2772 wrote to memory of 764 2772 Pgobhcac.exe Paggai32.exe PID 2772 wrote to memory of 764 2772 Pgobhcac.exe Paggai32.exe PID 2772 wrote to memory of 764 2772 Pgobhcac.exe Paggai32.exe PID 764 wrote to memory of 1452 764 Paggai32.exe Piblek32.exe PID 764 wrote to memory of 1452 764 Paggai32.exe Piblek32.exe PID 764 wrote to memory of 1452 764 Paggai32.exe Piblek32.exe PID 764 wrote to memory of 1452 764 Paggai32.exe Piblek32.exe PID 1452 wrote to memory of 1420 1452 Piblek32.exe Ppmdbe32.exe PID 1452 wrote to memory of 1420 1452 Piblek32.exe Ppmdbe32.exe PID 1452 wrote to memory of 1420 1452 Piblek32.exe Ppmdbe32.exe PID 1452 wrote to memory of 1420 1452 Piblek32.exe Ppmdbe32.exe PID 1420 wrote to memory of 1208 1420 Ppmdbe32.exe Peiljl32.exe PID 1420 wrote to memory of 1208 1420 Ppmdbe32.exe Peiljl32.exe PID 1420 wrote to memory of 1208 1420 Ppmdbe32.exe Peiljl32.exe PID 1420 wrote to memory of 1208 1420 Ppmdbe32.exe Peiljl32.exe PID 1208 wrote to memory of 2176 1208 Peiljl32.exe Pmqdkj32.exe PID 1208 wrote to memory of 2176 1208 Peiljl32.exe Pmqdkj32.exe PID 1208 wrote to memory of 2176 1208 Peiljl32.exe Pmqdkj32.exe PID 1208 wrote to memory of 2176 1208 Peiljl32.exe Pmqdkj32.exe PID 2176 wrote to memory of 2080 2176 Pmqdkj32.exe Pelipl32.exe PID 2176 wrote to memory of 2080 2176 Pmqdkj32.exe Pelipl32.exe PID 2176 wrote to memory of 2080 2176 Pmqdkj32.exe Pelipl32.exe PID 2176 wrote to memory of 2080 2176 Pmqdkj32.exe Pelipl32.exe PID 2080 wrote to memory of 912 2080 Pelipl32.exe Plfamfpm.exe PID 2080 wrote to memory of 912 2080 Pelipl32.exe Plfamfpm.exe PID 2080 wrote to memory of 912 2080 Pelipl32.exe Plfamfpm.exe PID 2080 wrote to memory of 912 2080 Pelipl32.exe Plfamfpm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe33⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe34⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe35⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe36⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe37⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe39⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe40⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe41⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe43⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe44⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe45⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe46⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe48⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe50⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe52⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe53⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe54⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe55⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe56⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe57⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe60⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe62⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe63⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe65⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe66⤵PID:2208
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe67⤵PID:1776
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe70⤵PID:1920
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe71⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe72⤵PID:2632
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe73⤵PID:2316
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe74⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe75⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe76⤵PID:2956
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe77⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe78⤵PID:1848
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe79⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe80⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe81⤵PID:2312
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe82⤵PID:1668
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe83⤵PID:944
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe84⤵PID:1116
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe85⤵
- Modifies registry class
PID:240 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe86⤵PID:1576
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe87⤵PID:2948
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe89⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe90⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe92⤵PID:2536
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe93⤵PID:2320
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe94⤵PID:300
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe95⤵PID:1544
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe96⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe97⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe98⤵PID:2164
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe99⤵PID:668
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe100⤵PID:872
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe101⤵PID:2988
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe102⤵PID:1548
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe103⤵PID:1964
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe104⤵PID:1956
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1432 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe106⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe107⤵PID:2380
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe108⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe109⤵PID:2676
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe110⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe111⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe112⤵PID:1320
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe114⤵
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe115⤵PID:376
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe116⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe117⤵
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe118⤵PID:2448
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe119⤵PID:2324
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe120⤵PID:2400
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe121⤵PID:2824
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe122⤵PID:2708
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe123⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe124⤵PID:1360
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe125⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe126⤵PID:2132
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe127⤵PID:1908
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe128⤵
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe129⤵PID:1256
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe130⤵PID:2480
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe131⤵PID:2552
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe132⤵PID:2780
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe133⤵PID:620
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe134⤵
- Drops file in System32 directory
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe135⤵PID:1292
-
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe136⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe137⤵
- Drops file in System32 directory
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe138⤵PID:2240
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe139⤵
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe140⤵PID:1532
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe141⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe142⤵
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe143⤵PID:1888
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe144⤵PID:2644
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe145⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe146⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe147⤵PID:680
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe148⤵PID:1176
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe149⤵PID:1936
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe150⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe151⤵PID:2624
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe152⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe153⤵PID:2900
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe154⤵PID:996
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe155⤵PID:2020
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe156⤵PID:852
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe157⤵PID:2180
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe159⤵PID:1884
-
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe160⤵PID:2500
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe161⤵PID:2740
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe163⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe164⤵PID:984
-
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe165⤵PID:1524
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe166⤵PID:796
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe167⤵PID:2696
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe168⤵PID:2936
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe169⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe170⤵PID:1696
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe171⤵PID:3028
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe173⤵PID:1636
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe174⤵PID:1608
-
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe175⤵PID:1580
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe176⤵PID:2360
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe177⤵PID:1056
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe178⤵PID:2084
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe179⤵PID:2976
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe180⤵PID:2464
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe181⤵PID:1680
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe182⤵PID:1624
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe183⤵PID:2056
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe184⤵PID:2364
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe185⤵PID:2532
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe186⤵PID:2584
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe187⤵PID:2728
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe188⤵PID:2036
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe190⤵PID:2224
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe191⤵PID:2120
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe192⤵PID:3096
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe193⤵PID:3136
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3176 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe195⤵PID:3216
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe196⤵
- Modifies registry class
PID:3256 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe197⤵PID:3296
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe198⤵PID:3336
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe199⤵PID:3376
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe200⤵PID:3416
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe201⤵PID:3456
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe202⤵PID:3496
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe203⤵PID:3536
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3576 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe205⤵
- Drops file in System32 directory
PID:3616 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe206⤵PID:3656
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe207⤵
- Modifies registry class
PID:3700 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe208⤵PID:3740
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3780 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe210⤵PID:3820
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe211⤵
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe212⤵PID:3900
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe213⤵
- Drops file in System32 directory
- Modifies registry class
PID:3940 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe214⤵PID:3980
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe215⤵PID:4020
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe216⤵
- Drops file in System32 directory
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe217⤵PID:3076
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe218⤵
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe219⤵
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1004 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3272 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe222⤵PID:3268
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe223⤵PID:3364
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe224⤵PID:3412
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe225⤵PID:3472
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe226⤵PID:3512
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe227⤵
- Modifies registry class
PID:3564 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe228⤵PID:3600
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe229⤵PID:3664
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe230⤵PID:3676
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe231⤵PID:3768
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe232⤵
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe234⤵PID:3916
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe235⤵
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe236⤵PID:4004
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe237⤵PID:4032
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe238⤵
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe239⤵PID:3184
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe240⤵PID:3212
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3288 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3332