Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 22:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
442d8ef2c2e7dd7e6b154b5a56b93b20_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
442d8ef2c2e7dd7e6b154b5a56b93b20_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
442d8ef2c2e7dd7e6b154b5a56b93b20_NeikiAnalytics.exe
-
Size
256KB
-
MD5
442d8ef2c2e7dd7e6b154b5a56b93b20
-
SHA1
55cbb7170817add22a315a3eba874dec5dcc24c1
-
SHA256
6ac3b68dd5b8f8f26b3db64da7abf9fa8c29212eb336c6664a128c419c1b3f34
-
SHA512
e373c15e0b1d966959548f73754e1f1be97d4e594e8c0bd46f4c3dd06fb3fc159fe11ce48c5b36b28f4363dc8de0aa91a0fa8fce7940d4bae8b43f5bb50fa209
-
SSDEEP
6144:U67lLFRYem79C81NByvZ6Mxv5Rar3O6B9fZSLhZmzbBy9:U6JYZ9C8HByvNv54B9f01ZmHBy9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qeemej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jagqlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onholckc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhgjblfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpacfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Angddopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdjchgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmllk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbbnhfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpfijcfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekfan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemlmgnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcidfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgemphmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baocghgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekaebcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Giacca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lklnhlfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdgljmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphmie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohehq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemjpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbidj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgqggce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clbceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjddphlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojqkbdf.exe -
Executes dropped EXE 64 IoCs
pid Process 1016 Nicjhchb.exe 3200 Nkagdoge.exe 1656 Nomcen32.exe 3180 Nbkoai32.exe 3572 Nejkmdnf.exe 2132 Niegnc32.exe 4476 Noopjmnl.exe 1204 Nqqlbe32.exe 440 Nelhbdlc.exe 1780 Nkfpon32.exe 636 Nndlkj32.exe 4672 Obphlhkm.exe 4160 Oendhdjq.exe 960 Oijqibbj.exe 4504 Okhmenan.exe 2808 Obbeah32.exe 2572 Oeqanc32.exe 3872 Opfekl32.exe 1108 Oagbbdnb.exe 724 Ogajooeo.exe 1216 Ophbqlea.exe 1948 Oajohd32.exe 4736 Oeekicdi.exe 3384 Ogdgencl.exe 1920 Opkoflco.exe 264 Obikbgbb.exe 3512 Oehgnbbf.exe 468 Ogfcjnaj.exe 1720 Opmllk32.exe 748 Pblhhg32.exe 4340 Pejddb32.exe 736 Pihmjqfj.exe 1144 Plfiflen.exe 680 Pneebg32.exe 3000 Pacaoc32.exe 4928 Phmjkmka.exe 2844 Ppdbljkd.exe 3344 Pbbnhfjh.exe 3948 Peajdajk.exe 4332 Plkbak32.exe 3416 Ppgobjia.exe 3804 Pbekne32.exe 3896 Pecgja32.exe 2488 Phbcfl32.exe 1636 Qpikgj32.exe 2508 Qbggce32.exe 872 Qefdpq32.exe 4612 Qiappono.exe 436 Qpkhmi32.exe 3604 Qnnhhflf.exe 512 Qehqepcc.exe 2956 Qhfmalbg.exe 3516 Apndbici.exe 4856 Ablaodbm.exe 2460 Aejmkpaq.exe 2512 Aldegj32.exe 2216 Aocace32.exe 3992 Aemjpp32.exe 3676 Ahkflk32.exe 4484 Abqjjd32.exe 1688 Aackeqeb.exe 1652 Ahncbk32.exe 5080 Apekch32.exe 5092 Abcgoc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Njcqqgjb.dll Mcklgm32.exe File opened for modification C:\Windows\SysWOW64\Dlojkddn.exe Djpnohej.exe File created C:\Windows\SysWOW64\Eifbkgjd.dll Jfoiokfb.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Process not Found File created C:\Windows\SysWOW64\Choehhlk.dll Hecmijim.exe File created C:\Windows\SysWOW64\Njciko32.exe Ngdmod32.exe File created C:\Windows\SysWOW64\Nmnqjp32.exe Process not Found File created C:\Windows\SysWOW64\Fcpjljph.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dafppp32.exe Process not Found File created C:\Windows\SysWOW64\Lalnmiia.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cgndoeag.exe Process not Found File opened for modification C:\Windows\SysWOW64\Epagkd32.exe Process not Found File created C:\Windows\SysWOW64\Obphlhkm.exe Nndlkj32.exe File created C:\Windows\SysWOW64\Aojefobm.exe Process not Found File created C:\Windows\SysWOW64\Ifaden32.dll Oehgnbbf.exe File created C:\Windows\SysWOW64\Ibimpp32.dll Jdhine32.exe File created C:\Windows\SysWOW64\Bkphhgfc.exe Process not Found File created C:\Windows\SysWOW64\Aonoao32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ajfoiqll.exe Aldomc32.exe File created C:\Windows\SysWOW64\Jcpfco32.dll Dbllbibl.exe File opened for modification C:\Windows\SysWOW64\Fkopnh32.exe Fllpbldb.exe File created C:\Windows\SysWOW64\Hbdjchgn.exe Hdpiid32.exe File opened for modification C:\Windows\SysWOW64\Kipabjil.exe Kknafn32.exe File opened for modification C:\Windows\SysWOW64\Flnlhk32.exe Fhcpgmjf.exe File opened for modification C:\Windows\SysWOW64\Iknmla32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Hbpphi32.exe Hgjljpkm.exe File created C:\Windows\SysWOW64\Gidjfdep.dll Clbceo32.exe File created C:\Windows\SysWOW64\Qpcecb32.exe Process not Found File created C:\Windows\SysWOW64\Apddkmko.dll Process not Found File created C:\Windows\SysWOW64\Febgea32.exe Fafkecel.exe File opened for modification C:\Windows\SysWOW64\Mhldbh32.exe Process not Found File created C:\Windows\SysWOW64\Dbkqfe32.exe Process not Found File created C:\Windows\SysWOW64\Pinnnm32.dll Process not Found File created C:\Windows\SysWOW64\Kkconn32.exe Process not Found File created C:\Windows\SysWOW64\Egened32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Obikbgbb.exe Opkoflco.exe File created C:\Windows\SysWOW64\Lkeekk32.exe Process not Found File created C:\Windows\SysWOW64\Gmoliohh.exe Gidphq32.exe File created C:\Windows\SysWOW64\Olcbmj32.exe Nnqbanmo.exe File opened for modification C:\Windows\SysWOW64\Gfeaopqo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cmlcbbcj.exe Cnicfe32.exe File opened for modification C:\Windows\SysWOW64\Lbchba32.exe Lpekef32.exe File created C:\Windows\SysWOW64\Qjlnnemp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Glgjlm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Empoiimf.exe Process not Found File created C:\Windows\SysWOW64\Cjpckf32.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Gbgkfg32.exe Goiojk32.exe File opened for modification C:\Windows\SysWOW64\Opcqnb32.exe Ohlimd32.exe File opened for modification C:\Windows\SysWOW64\Dbcmakpl.exe Process not Found File created C:\Windows\SysWOW64\Ehndnh32.exe Process not Found File created C:\Windows\SysWOW64\Pqbala32.exe Process not Found File created C:\Windows\SysWOW64\Lgikfn32.exe Lcmofolg.exe File created C:\Windows\SysWOW64\Nghjpm32.dll Gododflk.exe File created C:\Windows\SysWOW64\Agnjelkm.dll Process not Found File created C:\Windows\SysWOW64\Helfik32.exe Hckjacjg.exe File created C:\Windows\SysWOW64\Dpofmcef.dll Process not Found File created C:\Windows\SysWOW64\Hpqldc32.exe Process not Found File created C:\Windows\SysWOW64\Oigllh32.exe Oekpkigo.exe File opened for modification C:\Windows\SysWOW64\Hfcpncdk.exe Hbhdmd32.exe File opened for modification C:\Windows\SysWOW64\Bhpfqcln.exe Process not Found File created C:\Windows\SysWOW64\Efpomccg.exe Process not Found File created C:\Windows\SysWOW64\Dokjbp32.exe Dllmfd32.exe File created C:\Windows\SysWOW64\Ipdejo32.dll Iicbehnq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15216 6836 Process not Found 2153 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpqlc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfqjafdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbhmhpf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll" Mahbje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajkaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbkjjblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mekgdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlednamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhebonp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cehkhecb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbfbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heapdjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klfjijgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbllbmg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgmfg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogajooeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olihhh32.dll" Pqnaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daaicfgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clqnjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinbbnpa.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlncan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbgkfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfjmgdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojhiqefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll" Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdkggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laniklje.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjnjqfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglkaf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnknpnlf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll" Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmakeiil.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 396 wrote to memory of 1016 396 442d8ef2c2e7dd7e6b154b5a56b93b20_NeikiAnalytics.exe 82 PID 396 wrote to memory of 1016 396 442d8ef2c2e7dd7e6b154b5a56b93b20_NeikiAnalytics.exe 82 PID 396 wrote to memory of 1016 396 442d8ef2c2e7dd7e6b154b5a56b93b20_NeikiAnalytics.exe 82 PID 1016 wrote to memory of 3200 1016 Nicjhchb.exe 83 PID 1016 wrote to memory of 3200 1016 Nicjhchb.exe 83 PID 1016 wrote to memory of 3200 1016 Nicjhchb.exe 83 PID 3200 wrote to memory of 1656 3200 Nkagdoge.exe 84 PID 3200 wrote to memory of 1656 3200 Nkagdoge.exe 84 PID 3200 wrote to memory of 1656 3200 Nkagdoge.exe 84 PID 1656 wrote to memory of 3180 1656 Nomcen32.exe 85 PID 1656 wrote to memory of 3180 1656 Nomcen32.exe 85 PID 1656 wrote to memory of 3180 1656 Nomcen32.exe 85 PID 3180 wrote to memory of 3572 3180 Nbkoai32.exe 86 PID 3180 wrote to memory of 3572 3180 Nbkoai32.exe 86 PID 3180 wrote to memory of 3572 3180 Nbkoai32.exe 86 PID 3572 wrote to memory of 2132 3572 Nejkmdnf.exe 87 PID 3572 wrote to memory of 2132 3572 Nejkmdnf.exe 87 PID 3572 wrote to memory of 2132 3572 Nejkmdnf.exe 87 PID 2132 wrote to memory of 4476 2132 Niegnc32.exe 88 PID 2132 wrote to memory of 4476 2132 Niegnc32.exe 88 PID 2132 wrote to memory of 4476 2132 Niegnc32.exe 88 PID 4476 wrote to memory of 1204 4476 Noopjmnl.exe 89 PID 4476 wrote to memory of 1204 4476 Noopjmnl.exe 89 PID 4476 wrote to memory of 1204 4476 Noopjmnl.exe 89 PID 1204 wrote to memory of 440 1204 Nqqlbe32.exe 90 PID 1204 wrote to memory of 440 1204 Nqqlbe32.exe 90 PID 1204 wrote to memory of 440 1204 Nqqlbe32.exe 90 PID 440 wrote to memory of 1780 440 Nelhbdlc.exe 91 PID 440 wrote to memory of 1780 440 Nelhbdlc.exe 91 PID 440 wrote to memory of 1780 440 Nelhbdlc.exe 91 PID 1780 wrote to memory of 636 1780 Nkfpon32.exe 92 PID 1780 wrote to memory of 636 1780 Nkfpon32.exe 92 PID 1780 wrote to memory of 636 1780 Nkfpon32.exe 92 PID 636 wrote to memory of 4672 636 Nndlkj32.exe 93 PID 636 wrote to memory of 4672 636 Nndlkj32.exe 93 PID 636 wrote to memory of 4672 636 Nndlkj32.exe 93 PID 4672 wrote to memory of 4160 4672 Obphlhkm.exe 94 PID 4672 wrote to memory of 4160 4672 Obphlhkm.exe 94 PID 4672 wrote to memory of 4160 4672 Obphlhkm.exe 94 PID 4160 wrote to memory of 960 4160 Oendhdjq.exe 96 PID 4160 wrote to memory of 960 4160 Oendhdjq.exe 96 PID 4160 wrote to memory of 960 4160 Oendhdjq.exe 96 PID 960 wrote to memory of 4504 960 Oijqibbj.exe 97 PID 960 wrote to memory of 4504 960 Oijqibbj.exe 97 PID 960 wrote to memory of 4504 960 Oijqibbj.exe 97 PID 4504 wrote to memory of 2808 4504 Okhmenan.exe 98 PID 4504 wrote to memory of 2808 4504 Okhmenan.exe 98 PID 4504 wrote to memory of 2808 4504 Okhmenan.exe 98 PID 2808 wrote to memory of 2572 2808 Obbeah32.exe 99 PID 2808 wrote to memory of 2572 2808 Obbeah32.exe 99 PID 2808 wrote to memory of 2572 2808 Obbeah32.exe 99 PID 2572 wrote to memory of 3872 2572 Oeqanc32.exe 101 PID 2572 wrote to memory of 3872 2572 Oeqanc32.exe 101 PID 2572 wrote to memory of 3872 2572 Oeqanc32.exe 101 PID 3872 wrote to memory of 1108 3872 Opfekl32.exe 102 PID 3872 wrote to memory of 1108 3872 Opfekl32.exe 102 PID 3872 wrote to memory of 1108 3872 Opfekl32.exe 102 PID 1108 wrote to memory of 724 1108 Oagbbdnb.exe 103 PID 1108 wrote to memory of 724 1108 Oagbbdnb.exe 103 PID 1108 wrote to memory of 724 1108 Oagbbdnb.exe 103 PID 724 wrote to memory of 1216 724 Ogajooeo.exe 105 PID 724 wrote to memory of 1216 724 Ogajooeo.exe 105 PID 724 wrote to memory of 1216 724 Ogajooeo.exe 105 PID 1216 wrote to memory of 1948 1216 Ophbqlea.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\442d8ef2c2e7dd7e6b154b5a56b93b20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\442d8ef2c2e7dd7e6b154b5a56b93b20_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Nicjhchb.exeC:\Windows\system32\Nicjhchb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Nkagdoge.exeC:\Windows\system32\Nkagdoge.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Nomcen32.exeC:\Windows\system32\Nomcen32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Nbkoai32.exeC:\Windows\system32\Nbkoai32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Nejkmdnf.exeC:\Windows\system32\Nejkmdnf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Niegnc32.exeC:\Windows\system32\Niegnc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Noopjmnl.exeC:\Windows\system32\Noopjmnl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Nqqlbe32.exeC:\Windows\system32\Nqqlbe32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Nelhbdlc.exeC:\Windows\system32\Nelhbdlc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Nkfpon32.exeC:\Windows\system32\Nkfpon32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Nndlkj32.exeC:\Windows\system32\Nndlkj32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Obphlhkm.exeC:\Windows\system32\Obphlhkm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Oendhdjq.exeC:\Windows\system32\Oendhdjq.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Oijqibbj.exeC:\Windows\system32\Oijqibbj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Okhmenan.exeC:\Windows\system32\Okhmenan.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Obbeah32.exeC:\Windows\system32\Obbeah32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Oeqanc32.exeC:\Windows\system32\Oeqanc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Opfekl32.exeC:\Windows\system32\Opfekl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Oagbbdnb.exeC:\Windows\system32\Oagbbdnb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Ogajooeo.exeC:\Windows\system32\Ogajooeo.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Ophbqlea.exeC:\Windows\system32\Ophbqlea.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Oajohd32.exeC:\Windows\system32\Oajohd32.exe23⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Oeekicdi.exeC:\Windows\system32\Oeekicdi.exe24⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Ogdgencl.exeC:\Windows\system32\Ogdgencl.exe25⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Opkoflco.exeC:\Windows\system32\Opkoflco.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Obikbgbb.exeC:\Windows\system32\Obikbgbb.exe27⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Oehgnbbf.exeC:\Windows\system32\Oehgnbbf.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3512 -
C:\Windows\SysWOW64\Ogfcjnaj.exeC:\Windows\system32\Ogfcjnaj.exe29⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Opmllk32.exeC:\Windows\system32\Opmllk32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Pblhhg32.exeC:\Windows\system32\Pblhhg32.exe31⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Pejddb32.exeC:\Windows\system32\Pejddb32.exe32⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Pihmjqfj.exeC:\Windows\system32\Pihmjqfj.exe33⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Plfiflen.exeC:\Windows\system32\Plfiflen.exe34⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Pneebg32.exeC:\Windows\system32\Pneebg32.exe35⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Pacaoc32.exeC:\Windows\system32\Pacaoc32.exe36⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Phmjkmka.exeC:\Windows\system32\Phmjkmka.exe37⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Ppdbljkd.exeC:\Windows\system32\Ppdbljkd.exe38⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Pbbnhfjh.exeC:\Windows\system32\Pbbnhfjh.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Peajdajk.exeC:\Windows\system32\Peajdajk.exe40⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Plkbak32.exeC:\Windows\system32\Plkbak32.exe41⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Ppgobjia.exeC:\Windows\system32\Ppgobjia.exe42⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Pbekne32.exeC:\Windows\system32\Pbekne32.exe43⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Pecgja32.exeC:\Windows\system32\Pecgja32.exe44⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Phbcfl32.exeC:\Windows\system32\Phbcfl32.exe45⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Qpikgj32.exeC:\Windows\system32\Qpikgj32.exe46⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Qbggce32.exeC:\Windows\system32\Qbggce32.exe47⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Qefdpq32.exeC:\Windows\system32\Qefdpq32.exe48⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Qiappono.exeC:\Windows\system32\Qiappono.exe49⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Qpkhmi32.exeC:\Windows\system32\Qpkhmi32.exe50⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Qnnhhflf.exeC:\Windows\system32\Qnnhhflf.exe51⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Qehqepcc.exeC:\Windows\system32\Qehqepcc.exe52⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Qhfmalbg.exeC:\Windows\system32\Qhfmalbg.exe53⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe54⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ablaodbm.exeC:\Windows\system32\Ablaodbm.exe55⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Aejmkpaq.exeC:\Windows\system32\Aejmkpaq.exe56⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe57⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Aocace32.exeC:\Windows\system32\Aocace32.exe58⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Aemjpp32.exeC:\Windows\system32\Aemjpp32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe60⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Abqjjd32.exeC:\Windows\system32\Abqjjd32.exe61⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe62⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ahncbk32.exeC:\Windows\system32\Ahncbk32.exe63⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Apekch32.exeC:\Windows\system32\Apekch32.exe64⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe65⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Aeacko32.exeC:\Windows\system32\Aeacko32.exe66⤵PID:4264
-
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe67⤵PID:2848
-
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe68⤵PID:3600
-
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe69⤵PID:948
-
C:\Windows\SysWOW64\Bakqfp32.exeC:\Windows\system32\Bakqfp32.exe70⤵PID:2556
-
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe71⤵PID:1596
-
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe72⤵PID:4640
-
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe73⤵PID:4212
-
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe74⤵PID:1568
-
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe75⤵PID:4348
-
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe76⤵PID:3068
-
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe77⤵PID:452
-
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe78⤵PID:2392
-
C:\Windows\SysWOW64\Bekfan32.exeC:\Windows\system32\Bekfan32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Bhibni32.exeC:\Windows\system32\Bhibni32.exe80⤵PID:3396
-
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe81⤵PID:380
-
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe82⤵PID:1716
-
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe83⤵PID:4312
-
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe84⤵PID:4108
-
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe85⤵PID:4152
-
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe86⤵PID:1576
-
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe87⤵PID:4816
-
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe88⤵PID:1880
-
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe89⤵PID:2256
-
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe90⤵PID:4400
-
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe91⤵PID:3388
-
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe92⤵PID:1444
-
C:\Windows\SysWOW64\Cojqkbdf.exeC:\Windows\system32\Cojqkbdf.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5156 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe94⤵PID:5200
-
C:\Windows\SysWOW64\Cipehkcl.exeC:\Windows\system32\Cipehkcl.exe95⤵PID:5240
-
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe96⤵PID:5288
-
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe97⤵PID:5332
-
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe98⤵PID:5372
-
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe99⤵PID:5424
-
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe100⤵PID:5468
-
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe101⤵
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe102⤵PID:5556
-
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe103⤵PID:5596
-
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe104⤵PID:5632
-
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe105⤵PID:5680
-
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe106⤵PID:5720
-
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe107⤵PID:5768
-
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe108⤵PID:5804
-
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe109⤵PID:5844
-
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe110⤵PID:5884
-
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe111⤵PID:5928
-
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5968 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe113⤵PID:6016
-
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe114⤵PID:6056
-
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe115⤵PID:6100
-
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe116⤵PID:4652
-
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe117⤵PID:2804
-
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe118⤵PID:5228
-
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe119⤵PID:5284
-
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe120⤵PID:5380
-
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe121⤵PID:5044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-