Analysis
-
max time kernel
125s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 23:31
Behavioral task
behavioral1
Sample
6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
6d082380b6dde79eabeb5a66b1ff6910
-
SHA1
ddbbe0fda0790dda5796ecad00a5b12772acb174
-
SHA256
3ffa589c61079a1054abe1b180573730924d1af6213cbe5800f62d452858dfe0
-
SHA512
b68cdc657351c8d2d14bb6b7f68b7550b25d859c19778a87ca75ce5a64282c7944bde1904ba99b2bffdb65695bd38c768fb8337d31255ce353e293f61aabcebd
-
SSDEEP
98304:+6Gn9646r6HaSHFaZRBEYyqmS2DiHPKQgmZ0V:saSHFaZRBEYyqmS2DiHPKQg/
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mkfclo32.exeDmkcil32.exeOionacqo.exeOgiaif32.exeHfcjdkpg.exeGkebafoa.exeEjdfqogm.exeIjqoilii.exeIakgefqe.exeLlebnfpe.exeAmnfnfgg.exeHfbhkb32.exeGjbmelgm.exeGhajacmo.exeLpdankjg.exeApilcoho.exeNghphaeo.exeAllefimb.exeCnnimkom.exeNgbpehpj.exePcnfdl32.exeAankkqfl.exeEaeipfei.exeNkclkl32.exeDbmkfh32.exeHnagjbdf.exeHdlhjl32.exeChfbgn32.exeLhpglecl.exeCqaiph32.exeIhbqdh32.exeCepipm32.exeJnkakl32.exeJkhejkcq.exeCinafkkd.exeGaojnq32.exeEgfjdchi.exeHqochjnk.exeGembhj32.exeJmnqje32.exeObhpad32.exeOmnmal32.exeAnpooe32.exeEcnoijbd.exeDilchhgg.exeFpbqcb32.exeKnmhgf32.exeElkmmodo.exeGecpnp32.exeHgeelf32.exeClmbddgp.exeMbkmlh32.exeHplphd32.exeLofkoamf.exePcibkm32.exeNgealejo.exeHcdgmimg.exeMhhiiloh.exeKhoebi32.exeMgmoob32.exePalbgn32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmkcil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oionacqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogiaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcjdkpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdfqogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llebnfpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnfnfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbhkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjbmelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghajacmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdankjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apilcoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghphaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnimkom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpehpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aankkqfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkclkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlhjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhpglecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cepipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaojnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfjdchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqochjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gembhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnoijbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilchhgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbqcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnfnfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gecpnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmbddgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbkmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplphd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofkoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdgmimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhiiloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khoebi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgmoob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgn32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Mlcple32.exe family_berbew C:\Windows\SysWOW64\Nnnojlpa.exe family_berbew \Windows\SysWOW64\Nghphaeo.exe family_berbew \Windows\SysWOW64\Nlgefh32.exe family_berbew \Windows\SysWOW64\Ampqjm32.exe family_berbew C:\Windows\SysWOW64\Apajlhka.exe family_berbew \Windows\SysWOW64\Bnpmipql.exe family_berbew C:\Windows\SysWOW64\Ddcdkl32.exe family_berbew C:\Windows\SysWOW64\Fddmgjpo.exe family_berbew \Windows\SysWOW64\Globlmmj.exe family_berbew \Windows\SysWOW64\Hdfflm32.exe family_berbew C:\Windows\SysWOW64\Hnagjbdf.exe family_berbew \Windows\SysWOW64\Knjbnh32.exe family_berbew \Windows\SysWOW64\Lollckbk.exe family_berbew \Windows\SysWOW64\Noqamn32.exe family_berbew C:\Windows\SysWOW64\Nglfapnl.exe family_berbew C:\Windows\SysWOW64\Pklhlael.exe family_berbew C:\Windows\SysWOW64\Qmicohqm.exe family_berbew C:\Windows\SysWOW64\Qcbllb32.exe family_berbew C:\Windows\SysWOW64\Aidnohbk.exe family_berbew C:\Windows\SysWOW64\Afohaa32.exe family_berbew C:\Windows\SysWOW64\Bdbhke32.exe family_berbew C:\Windows\SysWOW64\Blbfjg32.exe family_berbew C:\Windows\SysWOW64\Bhigphio.exe family_berbew C:\Windows\SysWOW64\Baakhm32.exe family_berbew C:\Windows\SysWOW64\Cnkicn32.exe family_berbew C:\Windows\SysWOW64\Cdikkg32.exe family_berbew C:\Windows\SysWOW64\Cjfccn32.exe family_berbew C:\Windows\SysWOW64\Djklnnaj.exe family_berbew C:\Windows\SysWOW64\Dfamcogo.exe family_berbew C:\Windows\SysWOW64\Dlkepi32.exe family_berbew C:\Windows\SysWOW64\Eqpgol32.exe family_berbew C:\Windows\SysWOW64\Ekelld32.exe family_berbew C:\Windows\SysWOW64\Efaibbij.exe family_berbew C:\Windows\SysWOW64\Fcjcfe32.exe family_berbew C:\Windows\SysWOW64\Flehkhai.exe family_berbew C:\Windows\SysWOW64\Fenmdm32.exe family_berbew C:\Windows\SysWOW64\Fjmaaddo.exe family_berbew C:\Windows\SysWOW64\Gfjhgdck.exe family_berbew C:\Windows\SysWOW64\Gikaio32.exe family_berbew C:\Windows\SysWOW64\Hojgfemq.exe family_berbew C:\Windows\SysWOW64\Hhckpk32.exe family_berbew C:\Windows\SysWOW64\Hdildlie.exe family_berbew C:\Windows\SysWOW64\Hdlhjl32.exe family_berbew C:\Windows\SysWOW64\Iamimc32.exe family_berbew C:\Windows\SysWOW64\Ikfmfi32.exe family_berbew C:\Windows\SysWOW64\Jnicmdli.exe family_berbew C:\Windows\SysWOW64\Jhngjmlo.exe family_berbew C:\Windows\SysWOW64\Jjpcbe32.exe family_berbew C:\Windows\SysWOW64\Jjbpgd32.exe family_berbew C:\Windows\SysWOW64\Jmbiipml.exe family_berbew C:\Windows\SysWOW64\Kconkibf.exe family_berbew C:\Windows\SysWOW64\Knklagmb.exe family_berbew C:\Windows\SysWOW64\Kfbcbd32.exe family_berbew C:\Windows\SysWOW64\Knmhgf32.exe family_berbew C:\Windows\SysWOW64\Kjdilgpc.exe family_berbew C:\Windows\SysWOW64\Kbkameaf.exe family_berbew C:\Windows\SysWOW64\Lbfdaigg.exe family_berbew C:\Windows\SysWOW64\Liplnc32.exe family_berbew C:\Windows\SysWOW64\Mbkmlh32.exe family_berbew C:\Windows\SysWOW64\Mieeibkn.exe family_berbew C:\Windows\SysWOW64\Melfncqb.exe family_berbew C:\Windows\SysWOW64\Mkhofjoj.exe family_berbew C:\Windows\SysWOW64\Nplmop32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Mlcple32.exeNnnojlpa.exeNghphaeo.exeNlgefh32.exeAmpqjm32.exeApajlhka.exeBnpmipql.exeDdcdkl32.exeFddmgjpo.exeGloblmmj.exeHdfflm32.exeHnagjbdf.exeKnjbnh32.exeLollckbk.exeNoqamn32.exeNglfapnl.exePklhlael.exeQmicohqm.exeQcbllb32.exeAidnohbk.exeAfohaa32.exeBdbhke32.exeBlbfjg32.exeBhigphio.exeBaakhm32.exeCnkicn32.exeCdikkg32.exeCjfccn32.exeDjklnnaj.exeDfamcogo.exeDlkepi32.exeEqpgol32.exeEkelld32.exeEfaibbij.exeFcjcfe32.exeFlehkhai.exeFenmdm32.exeFjmaaddo.exeGfjhgdck.exeGikaio32.exeHojgfemq.exeHhckpk32.exeHdildlie.exeHdlhjl32.exeIamimc32.exeIkfmfi32.exeJnicmdli.exeJhngjmlo.exeJjpcbe32.exeJjbpgd32.exeJmbiipml.exeKconkibf.exeKnklagmb.exeKfbcbd32.exeKnmhgf32.exeKjdilgpc.exeKbkameaf.exeLbfdaigg.exeLiplnc32.exeMbkmlh32.exeMieeibkn.exeMelfncqb.exeMkhofjoj.exeNplmop32.exepid process 268 Mlcple32.exe 2788 Nnnojlpa.exe 2636 Nghphaeo.exe 2552 Nlgefh32.exe 2524 Ampqjm32.exe 3064 Apajlhka.exe 3028 Bnpmipql.exe 2052 Ddcdkl32.exe 1660 Fddmgjpo.exe 2596 Globlmmj.exe 3016 Hdfflm32.exe 1584 Hnagjbdf.exe 1828 Knjbnh32.exe 2056 Lollckbk.exe 1180 Noqamn32.exe 1028 Nglfapnl.exe 1988 Pklhlael.exe 1872 Qmicohqm.exe 2268 Qcbllb32.exe 2748 Aidnohbk.exe 1780 Afohaa32.exe 3040 Bdbhke32.exe 900 Blbfjg32.exe 2936 Bhigphio.exe 1924 Baakhm32.exe 2128 Cnkicn32.exe 2288 Cdikkg32.exe 1572 Cjfccn32.exe 2656 Djklnnaj.exe 2672 Dfamcogo.exe 1676 Dlkepi32.exe 2692 Eqpgol32.exe 2648 Ekelld32.exe 3024 Efaibbij.exe 760 Fcjcfe32.exe 1236 Flehkhai.exe 1724 Fenmdm32.exe 1960 Fjmaaddo.exe 2616 Gfjhgdck.exe 2956 Gikaio32.exe 2628 Hojgfemq.exe 2828 Hhckpk32.exe 2504 Hdildlie.exe 2624 Hdlhjl32.exe 1484 Iamimc32.exe 2144 Ikfmfi32.exe 1620 Jnicmdli.exe 448 Jhngjmlo.exe 1544 Jjpcbe32.exe 612 Jjbpgd32.exe 928 Jmbiipml.exe 292 Kconkibf.exe 1188 Knklagmb.exe 2452 Kfbcbd32.exe 1048 Knmhgf32.exe 2896 Kjdilgpc.exe 3060 Kbkameaf.exe 2632 Lbfdaigg.exe 2992 Liplnc32.exe 2700 Mbkmlh32.exe 2228 Mieeibkn.exe 1036 Melfncqb.exe 2220 Mkhofjoj.exe 2720 Nplmop32.exe -
Loads dropped DLL 64 IoCs
Processes:
6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exeMlcple32.exeNnnojlpa.exeNghphaeo.exeNlgefh32.exeAmpqjm32.exeApajlhka.exeBnpmipql.exeDdcdkl32.exeFddmgjpo.exeGloblmmj.exeHdfflm32.exeHnagjbdf.exeKnjbnh32.exeLollckbk.exeNoqamn32.exeNglfapnl.exePklhlael.exeQmicohqm.exeQcbllb32.exeAidnohbk.exeAfohaa32.exeBdbhke32.exeBlbfjg32.exeBhigphio.exeBaakhm32.exeCnkicn32.exeCdikkg32.exeCjfccn32.exeDjklnnaj.exeDfamcogo.exeDlkepi32.exepid process 1740 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe 1740 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe 268 Mlcple32.exe 268 Mlcple32.exe 2788 Nnnojlpa.exe 2788 Nnnojlpa.exe 2636 Nghphaeo.exe 2636 Nghphaeo.exe 2552 Nlgefh32.exe 2552 Nlgefh32.exe 2524 Ampqjm32.exe 2524 Ampqjm32.exe 3064 Apajlhka.exe 3064 Apajlhka.exe 3028 Bnpmipql.exe 3028 Bnpmipql.exe 2052 Ddcdkl32.exe 2052 Ddcdkl32.exe 1660 Fddmgjpo.exe 1660 Fddmgjpo.exe 2596 Globlmmj.exe 2596 Globlmmj.exe 3016 Hdfflm32.exe 3016 Hdfflm32.exe 1584 Hnagjbdf.exe 1584 Hnagjbdf.exe 1828 Knjbnh32.exe 1828 Knjbnh32.exe 2056 Lollckbk.exe 2056 Lollckbk.exe 1180 Noqamn32.exe 1180 Noqamn32.exe 1028 Nglfapnl.exe 1028 Nglfapnl.exe 1988 Pklhlael.exe 1988 Pklhlael.exe 1872 Qmicohqm.exe 1872 Qmicohqm.exe 2268 Qcbllb32.exe 2268 Qcbllb32.exe 2748 Aidnohbk.exe 2748 Aidnohbk.exe 1780 Afohaa32.exe 1780 Afohaa32.exe 3040 Bdbhke32.exe 3040 Bdbhke32.exe 900 Blbfjg32.exe 900 Blbfjg32.exe 2936 Bhigphio.exe 2936 Bhigphio.exe 1924 Baakhm32.exe 1924 Baakhm32.exe 2128 Cnkicn32.exe 2128 Cnkicn32.exe 2288 Cdikkg32.exe 2288 Cdikkg32.exe 1572 Cjfccn32.exe 1572 Cjfccn32.exe 2656 Djklnnaj.exe 2656 Djklnnaj.exe 2672 Dfamcogo.exe 2672 Dfamcogo.exe 1676 Dlkepi32.exe 1676 Dlkepi32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ncinap32.exeAknngo32.exeDohgomgf.exeKdbbgdjj.exeGcppkbia.exeEheecbia.exeMfglep32.exeNpechhgd.exeDhbhmb32.exeCpfdhl32.exeGkebafoa.exeEmpomd32.exePkojoghl.exeNlgefh32.exeHbiaemkk.exeGaojnq32.exeQgmpibam.exeEbnabb32.exeAnbmbi32.exeKhnapkjg.exeQjgcecja.exeLnecigcp.exeClbnhmjo.exeBqlfaj32.exeJmnqje32.exeBdbhke32.exePngphgbf.exeDnqlmq32.exeHgckoofa.exeLlmmpcfe.exeMfmqmgbm.exeNckmpicl.exeMpdqdkie.exeBmkomchi.exeGjbmelgm.exeOmnkicen.exeCofofolh.exeBaakhm32.exeGmpjagfa.exeDomccejd.exeLjnnko32.exeQiflohqk.exeKmmebm32.exeAccnekon.exeCbdgqimc.exeHdlhjl32.exeBkegah32.exeDqinhcoc.exeHfcjdkpg.exeDijfch32.exeNlanhh32.exeOgiaif32.exeEmdeok32.exeJcikog32.exeGembhj32.exeHcdgmimg.exeOmnmal32.exeKkpqlm32.exeGhgfekpn.exeEgebjmdn.exeLofkoamf.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Njgpij32.exe Ncinap32.exe File created C:\Windows\SysWOW64\Fjjdbf32.dll Aknngo32.exe File opened for modification C:\Windows\SysWOW64\Dedlag32.exe Dohgomgf.exe File opened for modification C:\Windows\SysWOW64\Kddomchg.exe Kdbbgdjj.exe File created C:\Windows\SysWOW64\Heqimm32.exe Gcppkbia.exe File opened for modification C:\Windows\SysWOW64\Fgcejm32.exe Eheecbia.exe File created C:\Windows\SysWOW64\Mihdgkpp.exe Mfglep32.exe File created C:\Windows\SysWOW64\Alkjpb32.dll Npechhgd.exe File created C:\Windows\SysWOW64\Dbcflk32.dll Dhbhmb32.exe File created C:\Windows\SysWOW64\Clmdmm32.exe Cpfdhl32.exe File opened for modification C:\Windows\SysWOW64\Gaojnq32.exe Gkebafoa.exe File created C:\Windows\SysWOW64\Ngbpoo32.dll Empomd32.exe File created C:\Windows\SysWOW64\Npjkgala.dll Pkojoghl.exe File created C:\Windows\SysWOW64\Ampqjm32.exe Nlgefh32.exe File opened for modification C:\Windows\SysWOW64\Hjipenda.exe Hbiaemkk.exe File created C:\Windows\SysWOW64\Hhkopj32.exe Gaojnq32.exe File opened for modification C:\Windows\SysWOW64\Apedah32.exe Qgmpibam.exe File created C:\Windows\SysWOW64\Iampng32.dll Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Agkako32.exe Anbmbi32.exe File created C:\Windows\SysWOW64\Lekghdad.exe Khnapkjg.exe File created C:\Windows\SysWOW64\Aemmee32.dll Qjgcecja.exe File created C:\Windows\SysWOW64\Lpcoeb32.exe Lnecigcp.exe File created C:\Windows\SysWOW64\Inoaljog.dll Clbnhmjo.exe File created C:\Windows\SysWOW64\Oinhifdq.dll Bqlfaj32.exe File created C:\Windows\SysWOW64\Jhdegn32.exe Jmnqje32.exe File created C:\Windows\SysWOW64\Blbfjg32.exe Bdbhke32.exe File opened for modification C:\Windows\SysWOW64\Pcibkm32.exe Pngphgbf.exe File opened for modification C:\Windows\SysWOW64\Dncibp32.exe Dnqlmq32.exe File created C:\Windows\SysWOW64\Aengebaf.dll Hgckoofa.exe File created C:\Windows\SysWOW64\Jagcgk32.dll Llmmpcfe.exe File created C:\Windows\SysWOW64\Nbfnggeo.exe Mfmqmgbm.exe File created C:\Windows\SysWOW64\Oipklb32.dll Nckmpicl.exe File created C:\Windows\SysWOW64\Khlajd32.dll Mpdqdkie.exe File created C:\Windows\SysWOW64\Mpcfjmkg.dll Bmkomchi.exe File opened for modification C:\Windows\SysWOW64\Gmpjagfa.exe Gjbmelgm.exe File created C:\Windows\SysWOW64\Padjmfdg.exe Omnkicen.exe File opened for modification C:\Windows\SysWOW64\Cnnimkom.exe Cofofolh.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Baakhm32.exe File opened for modification C:\Windows\SysWOW64\Ggfnopfg.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Jmndgq32.dll Domccejd.exe File created C:\Windows\SysWOW64\Dglfle32.dll Ljnnko32.exe File opened for modification C:\Windows\SysWOW64\Qhkipdeb.exe Qiflohqk.exe File created C:\Windows\SysWOW64\Pmomjlhj.dll Kmmebm32.exe File opened for modification C:\Windows\SysWOW64\Aipfmane.exe Accnekon.exe File opened for modification C:\Windows\SysWOW64\Cdecha32.exe Cbdgqimc.exe File created C:\Windows\SysWOW64\Ngdfge32.dll Hdlhjl32.exe File created C:\Windows\SysWOW64\Cepipm32.exe Bkegah32.exe File created C:\Windows\SysWOW64\Mhibidgh.dll Dqinhcoc.exe File opened for modification C:\Windows\SysWOW64\Hcigco32.exe Hfcjdkpg.exe File opened for modification C:\Windows\SysWOW64\Dilchhgg.exe Dijfch32.exe File created C:\Windows\SysWOW64\Okhgod32.exe Nlanhh32.exe File created C:\Windows\SysWOW64\Mfglep32.exe Ljnnko32.exe File created C:\Windows\SysWOW64\Kojpahgg.dll Ogiaif32.exe File opened for modification C:\Windows\SysWOW64\Epbbkf32.exe Emdeok32.exe File created C:\Windows\SysWOW64\Oebblmoe.dll Gcppkbia.exe File created C:\Windows\SysWOW64\Ppfafphp.dll Jcikog32.exe File created C:\Windows\SysWOW64\Fdamcl32.dll Gembhj32.exe File opened for modification C:\Windows\SysWOW64\Hdecea32.exe Hcdgmimg.exe File created C:\Windows\SysWOW64\Aahfdihn.exe Aknngo32.exe File opened for modification C:\Windows\SysWOW64\Ochenfdn.exe Omnmal32.exe File created C:\Windows\SysWOW64\Cmpppdfa.dll Kkpqlm32.exe File created C:\Windows\SysWOW64\Gkebafoa.exe Ghgfekpn.exe File created C:\Windows\SysWOW64\Ekghcq32.exe Egebjmdn.exe File opened for modification C:\Windows\SysWOW64\Mebpakbq.exe Lofkoamf.exe -
Modifies registry class 64 IoCs
Processes:
Blbfjg32.exeKnbhlkkc.exeKeeeje32.exeEiciig32.exeEgfjdchi.exePgegok32.exePlolgk32.exeNpechhgd.exeAgjobffl.exeKmmebm32.exeCccdjl32.exeEkghcq32.exeKfacdqhf.exeBdbhke32.exeEinjdb32.exeHghillnd.exeEodnebpd.exeLfhhjklc.exeAmglgn32.exeFckhhgcf.exeCfnkmi32.exeKaggbihl.exeAmpqjm32.exeBlkioa32.exeDacnbjml.exeElcdcgcc.exeGbnflo32.exeKddomchg.exePhnpagdp.exeFlapkmlj.exeGoiafp32.exeGampaipe.exeNokqidll.exeNdkhngdd.exeGhofam32.exeKbkameaf.exeHgeelf32.exeEheecbia.exeKbpbmkan.exeGecpnp32.exeGkebafoa.exeQiflohqk.exeAipgifcp.exeLofkoamf.exeEannmi32.exeHplphd32.exeHfcjdkpg.exeCalcpm32.exePnnmeh32.exeFkbgckgd.exeEfaibbij.exeOflpgnld.exeMpkhoj32.exeBdmddc32.exeFgnadkic.exeEjdfqogm.exeBmkomchi.exeCfhkhd32.exeKdphjm32.exeMcidkf32.exeBikcbc32.exeGplcia32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blbfjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knbhlkkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keeeje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiciig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldcapk.dll" Egfjdchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgegok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plolgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npechhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmmebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booqgija.dll" Cccdjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekghcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfacdqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdbdc32.dll" Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hghillnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflpljfn.dll" Eodnebpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djcnme32.dll" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Bdbhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnkmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaggbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabnbook.dll" Ampqjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dacnbjml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elcdcgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbnflo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll" Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kecdbl32.dll" Flapkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goiafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjdjbd32.dll" Gampaipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmpgd32.dll" Nokqidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplkhj32.dll" Ndkhngdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghofam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll" Kbkameaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eheecbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbpbmkan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hailie32.dll" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnmik32.dll" Aipgifcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnpoagb.dll" Lofkoamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eannmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcbkhnk.dll" Cfnkmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgccgk32.dll" Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokahpfn.dll" Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeobp32.dll" Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oflpgnld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll" Bdmddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejdfqogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmkomchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnibb32.dll" Mcidkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebbqn32.dll" Bikcbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gplcia32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exeMlcple32.exeNnnojlpa.exeNghphaeo.exeNlgefh32.exeAmpqjm32.exeApajlhka.exeBnpmipql.exeDdcdkl32.exeFddmgjpo.exeGloblmmj.exeHdfflm32.exeHnagjbdf.exeKnjbnh32.exeLollckbk.exeNoqamn32.exedescription pid process target process PID 1740 wrote to memory of 268 1740 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe Mlcple32.exe PID 1740 wrote to memory of 268 1740 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe Mlcple32.exe PID 1740 wrote to memory of 268 1740 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe Mlcple32.exe PID 1740 wrote to memory of 268 1740 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe Mlcple32.exe PID 268 wrote to memory of 2788 268 Mlcple32.exe Nnnojlpa.exe PID 268 wrote to memory of 2788 268 Mlcple32.exe Nnnojlpa.exe PID 268 wrote to memory of 2788 268 Mlcple32.exe Nnnojlpa.exe PID 268 wrote to memory of 2788 268 Mlcple32.exe Nnnojlpa.exe PID 2788 wrote to memory of 2636 2788 Nnnojlpa.exe Nghphaeo.exe PID 2788 wrote to memory of 2636 2788 Nnnojlpa.exe Nghphaeo.exe PID 2788 wrote to memory of 2636 2788 Nnnojlpa.exe Nghphaeo.exe PID 2788 wrote to memory of 2636 2788 Nnnojlpa.exe Nghphaeo.exe PID 2636 wrote to memory of 2552 2636 Nghphaeo.exe Nlgefh32.exe PID 2636 wrote to memory of 2552 2636 Nghphaeo.exe Nlgefh32.exe PID 2636 wrote to memory of 2552 2636 Nghphaeo.exe Nlgefh32.exe PID 2636 wrote to memory of 2552 2636 Nghphaeo.exe Nlgefh32.exe PID 2552 wrote to memory of 2524 2552 Nlgefh32.exe Ampqjm32.exe PID 2552 wrote to memory of 2524 2552 Nlgefh32.exe Ampqjm32.exe PID 2552 wrote to memory of 2524 2552 Nlgefh32.exe Ampqjm32.exe PID 2552 wrote to memory of 2524 2552 Nlgefh32.exe Ampqjm32.exe PID 2524 wrote to memory of 3064 2524 Ampqjm32.exe Apajlhka.exe PID 2524 wrote to memory of 3064 2524 Ampqjm32.exe Apajlhka.exe PID 2524 wrote to memory of 3064 2524 Ampqjm32.exe Apajlhka.exe PID 2524 wrote to memory of 3064 2524 Ampqjm32.exe Apajlhka.exe PID 3064 wrote to memory of 3028 3064 Apajlhka.exe Bnpmipql.exe PID 3064 wrote to memory of 3028 3064 Apajlhka.exe Bnpmipql.exe PID 3064 wrote to memory of 3028 3064 Apajlhka.exe Bnpmipql.exe PID 3064 wrote to memory of 3028 3064 Apajlhka.exe Bnpmipql.exe PID 3028 wrote to memory of 2052 3028 Bnpmipql.exe Ddcdkl32.exe PID 3028 wrote to memory of 2052 3028 Bnpmipql.exe Ddcdkl32.exe PID 3028 wrote to memory of 2052 3028 Bnpmipql.exe Ddcdkl32.exe PID 3028 wrote to memory of 2052 3028 Bnpmipql.exe Ddcdkl32.exe PID 2052 wrote to memory of 1660 2052 Ddcdkl32.exe Fddmgjpo.exe PID 2052 wrote to memory of 1660 2052 Ddcdkl32.exe Fddmgjpo.exe PID 2052 wrote to memory of 1660 2052 Ddcdkl32.exe Fddmgjpo.exe PID 2052 wrote to memory of 1660 2052 Ddcdkl32.exe Fddmgjpo.exe PID 1660 wrote to memory of 2596 1660 Fddmgjpo.exe Globlmmj.exe PID 1660 wrote to memory of 2596 1660 Fddmgjpo.exe Globlmmj.exe PID 1660 wrote to memory of 2596 1660 Fddmgjpo.exe Globlmmj.exe PID 1660 wrote to memory of 2596 1660 Fddmgjpo.exe Globlmmj.exe PID 2596 wrote to memory of 3016 2596 Globlmmj.exe Hdfflm32.exe PID 2596 wrote to memory of 3016 2596 Globlmmj.exe Hdfflm32.exe PID 2596 wrote to memory of 3016 2596 Globlmmj.exe Hdfflm32.exe PID 2596 wrote to memory of 3016 2596 Globlmmj.exe Hdfflm32.exe PID 3016 wrote to memory of 1584 3016 Hdfflm32.exe Hnagjbdf.exe PID 3016 wrote to memory of 1584 3016 Hdfflm32.exe Hnagjbdf.exe PID 3016 wrote to memory of 1584 3016 Hdfflm32.exe Hnagjbdf.exe PID 3016 wrote to memory of 1584 3016 Hdfflm32.exe Hnagjbdf.exe PID 1584 wrote to memory of 1828 1584 Hnagjbdf.exe Knjbnh32.exe PID 1584 wrote to memory of 1828 1584 Hnagjbdf.exe Knjbnh32.exe PID 1584 wrote to memory of 1828 1584 Hnagjbdf.exe Knjbnh32.exe PID 1584 wrote to memory of 1828 1584 Hnagjbdf.exe Knjbnh32.exe PID 1828 wrote to memory of 2056 1828 Knjbnh32.exe Lollckbk.exe PID 1828 wrote to memory of 2056 1828 Knjbnh32.exe Lollckbk.exe PID 1828 wrote to memory of 2056 1828 Knjbnh32.exe Lollckbk.exe PID 1828 wrote to memory of 2056 1828 Knjbnh32.exe Lollckbk.exe PID 2056 wrote to memory of 1180 2056 Lollckbk.exe Noqamn32.exe PID 2056 wrote to memory of 1180 2056 Lollckbk.exe Noqamn32.exe PID 2056 wrote to memory of 1180 2056 Lollckbk.exe Noqamn32.exe PID 2056 wrote to memory of 1180 2056 Lollckbk.exe Noqamn32.exe PID 1180 wrote to memory of 1028 1180 Noqamn32.exe Nglfapnl.exe PID 1180 wrote to memory of 1028 1180 Noqamn32.exe Nglfapnl.exe PID 1180 wrote to memory of 1028 1180 Noqamn32.exe Nglfapnl.exe PID 1180 wrote to memory of 1028 1180 Noqamn32.exe Nglfapnl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe33⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe34⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe36⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe37⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe38⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe39⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe40⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe41⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe42⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe43⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe44⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe46⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe47⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe48⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe49⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe50⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe51⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe52⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe53⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe54⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe55⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe57⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe59⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe60⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe62⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe63⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe64⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe65⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe66⤵PID:1644
-
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe67⤵PID:2972
-
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe68⤵PID:1240
-
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe69⤵PID:2408
-
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe70⤵PID:584
-
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe71⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe73⤵PID:1348
-
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe74⤵PID:1888
-
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe75⤵PID:1856
-
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:852 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe77⤵PID:1600
-
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe78⤵PID:1416
-
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe79⤵PID:1852
-
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe80⤵PID:2556
-
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe81⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe82⤵PID:1292
-
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe83⤵
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe84⤵PID:804
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316 -
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe86⤵PID:2084
-
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe87⤵PID:1216
-
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe88⤵PID:1840
-
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe89⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe90⤵PID:1328
-
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe91⤵PID:2208
-
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe92⤵PID:988
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe93⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe94⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe95⤵PID:2660
-
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe96⤵PID:1892
-
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe97⤵PID:2564
-
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe98⤵PID:2684
-
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe99⤵PID:1300
-
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe100⤵PID:1148
-
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe101⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe104⤵PID:1276
-
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe105⤵PID:2852
-
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe106⤵PID:2384
-
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:744 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe108⤵PID:2188
-
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe109⤵PID:2240
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe110⤵PID:1760
-
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe111⤵PID:3048
-
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe112⤵PID:2532
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe113⤵PID:2540
-
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe114⤵PID:2080
-
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe116⤵PID:1916
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe117⤵PID:2108
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe118⤵PID:1100
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe119⤵PID:1340
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe120⤵PID:2848
-
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe121⤵PID:3004
-
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe122⤵PID:1608
-
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe123⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe124⤵PID:2572
-
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe125⤵PID:2284
-
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe126⤵PID:2944
-
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe127⤵PID:2112
-
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe128⤵PID:2900
-
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe129⤵PID:1580
-
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe131⤵PID:1280
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe132⤵PID:1788
-
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe133⤵PID:692
-
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe134⤵PID:1616
-
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe135⤵PID:2704
-
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe136⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe137⤵PID:2424
-
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe138⤵PID:1680
-
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe139⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe140⤵PID:2004
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe141⤵
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe142⤵PID:2840
-
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe143⤵PID:1084
-
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe144⤵PID:2712
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe145⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe146⤵PID:2440
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe147⤵PID:2488
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe148⤵PID:308
-
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe149⤵PID:352
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe150⤵PID:676
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe151⤵
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe152⤵PID:2788
-
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe153⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe154⤵PID:1876
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe155⤵
- Drops file in System32 directory
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe156⤵PID:2640
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe157⤵PID:2988
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe158⤵PID:2824
-
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe160⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe161⤵PID:1904
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe162⤵PID:2116
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe163⤵PID:1796
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe164⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe165⤵PID:2804
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe166⤵PID:2092
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe167⤵PID:2964
-
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe168⤵PID:812
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe169⤵PID:2328
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe170⤵PID:2296
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe172⤵PID:2172
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe173⤵
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe175⤵PID:1740
-
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe176⤵PID:2724
-
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe177⤵PID:1408
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe178⤵PID:2636
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe179⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe180⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe181⤵PID:1860
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe182⤵PID:3064
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe183⤵PID:340
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe184⤵PID:764
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe185⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe186⤵PID:2968
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe187⤵PID:2912
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe188⤵PID:2336
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe190⤵PID:1316
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe191⤵PID:2728
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe192⤵PID:2180
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe193⤵
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe194⤵PID:2456
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe195⤵PID:1712
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe196⤵PID:552
-
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe197⤵PID:1708
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe198⤵PID:1688
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe199⤵PID:828
-
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe200⤵PID:1820
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe201⤵PID:2932
-
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe202⤵PID:3052
-
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe203⤵PID:1028
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe204⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe205⤵PID:2160
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe207⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe208⤵PID:2496
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe209⤵PID:1744
-
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe210⤵PID:2304
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe214⤵PID:1780
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe215⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe216⤵PID:2936
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe217⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe219⤵PID:2656
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe220⤵PID:2484
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe221⤵PID:1676
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe222⤵PID:2480
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe223⤵PID:1924
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe224⤵PID:748
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe225⤵PID:2584
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe227⤵PID:3028
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe231⤵PID:1508
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe232⤵PID:1812
-
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe233⤵PID:2668
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe234⤵PID:3040
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe235⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe236⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe237⤵PID:1652
-
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe238⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe239⤵PID:2360
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe240⤵PID:1544
-
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe242⤵PID:2616