Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
96KB
-
MD5
6a1d0174019a616b402034c39b810030
-
SHA1
f68c65c8f83018db5b9f6797e2273b048b4c8a63
-
SHA256
1af3a27470a729ab20ba8575a25349bc6230ae70e4f0e4b1e070c5c3bb1adad6
-
SHA512
a52ef03d20ad26ed195babe99232f5c8cea748a8352b693c5635151b703fa88b621438507d10af93ea36d9900da9991f00c0851a279c94865bc053db4a9dc7ff
-
SSDEEP
1536:W7sZXJQT3VemYNTzzuh7l2RDKx6qvneS3dO+daZxduV9jojTIvjrH:WYXJ4emYNT42RDu6q/Vqxd69jc0vf
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Magdam32.exeBjembh32.exeHljaigmo.exeOoidei32.exeAmjpgdik.exeIqllghon.exeKaggbihl.exeNaimepkp.exeBabbng32.exeBhdjno32.exeJcfgoadd.exeEmeobj32.exeGpmjcg32.exeOiokholk.exeBedamd32.exePiieicgl.exeMacjgadf.exeBklpjlmc.exeGlnkcc32.exeLhoohgdg.exeLlpfjomf.exeIgebkiof.exePlhaeofp.exeBjbqmi32.exeDnpebj32.exeAhngomkd.exeAdiaommc.exeEakhdj32.exeChocodch.exeMiclhpjp.exeAhpddmia.exeBpcfcddp.exeNndgeplo.exeManjaldo.exeIbkhak32.exeNqeapo32.exeFodgkp32.exeGkhaooec.exeLchqcd32.exeMomapqgn.exeNhebhipj.exeIclbpj32.exeMqbejp32.exePfflql32.exeCqleifna.exeFiebnjbg.exeFmdbnnlj.exeHbnpbm32.exeKppldhla.exeAebakp32.exeEmdeok32.exeFlfkoeoh.exeHcblqb32.exeGfoeel32.exeEiciig32.exeGgapbcne.exeGpidki32.exePpipdl32.exePmecbkgj.exeCehhdkjf.exeJnemfa32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Magdam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjembh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hljaigmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooidei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjpgdik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqllghon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaggbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naimepkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhdjno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiokholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bedamd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piieicgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bklpjlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glnkcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpfjomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igebkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhaeofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnpebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahngomkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakhdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chocodch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahpddmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcfcddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nndgeplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Manjaldo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkhak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqeapo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkhaooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lchqcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momapqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhebhipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqbejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfflql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqleifna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiebnjbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdbnnlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aebakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emdeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkoeoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcblqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiciig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpidki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppipdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmecbkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnemfa32.exe -
Executes dropped EXE 64 IoCs
Processes:
Bkbdabog.exeCcnifd32.exeCmfmojcb.exeCfoaho32.exeCnejim32.exeCcbbachm.exeCgnnab32.exeCqfbjhgf.exeCbgobp32.exeCiagojda.exeCkpckece.exeCehhdkjf.exeCkbpqe32.exeDfhdnn32.exeDifqji32.exeDboeco32.exeDaaenlng.exeDjjjga32.exeDbabho32.exeDadbdkld.exeDlifadkk.exeDhpgfeao.exeDjocbqpb.exeDcghkf32.exeEfedga32.exeEjaphpnp.exeEakhdj32.exeEblelb32.exeEjcmmp32.exeEmdeok32.exeEpbbkf32.exeEfljhq32.exeElibpg32.exeEafkhn32.exeEimcjl32.exeFahhnn32.exeFdgdji32.exeFhbpkh32.exeFlnlkgjq.exeFggmldfp.exeFooembgb.exeFhgifgnb.exeFgjjad32.exeFmdbnnlj.exeFdnjkh32.exeFglfgd32.exeFkhbgbkc.exeFijbco32.exeFliook32.exeFpdkpiik.exeFccglehn.exeFgocmc32.exeFimoiopk.exeGmhkin32.exeGpggei32.exeGcedad32.exeGgapbcne.exeGiolnomh.exeGhbljk32.exeGpidki32.exeGcgqgd32.exeGefmcp32.exeGhdiokbq.exeGkcekfad.exepid process 2768 Bkbdabog.exe 540 Ccnifd32.exe 2584 Cmfmojcb.exe 2556 Cfoaho32.exe 2608 Cnejim32.exe 1716 Ccbbachm.exe 2284 Cgnnab32.exe 2744 Cqfbjhgf.exe 2904 Cbgobp32.exe 1316 Ciagojda.exe 2232 Ckpckece.exe 796 Cehhdkjf.exe 1956 Ckbpqe32.exe 1876 Dfhdnn32.exe 2932 Difqji32.exe 2384 Dboeco32.exe 1604 Daaenlng.exe 888 Djjjga32.exe 2212 Dbabho32.exe 2520 Dadbdkld.exe 1712 Dlifadkk.exe 2220 Dhpgfeao.exe 2056 Djocbqpb.exe 1964 Dcghkf32.exe 2504 Efedga32.exe 2784 Ejaphpnp.exe 2748 Eakhdj32.exe 1748 Eblelb32.exe 2616 Ejcmmp32.exe 2736 Emdeok32.exe 2072 Epbbkf32.exe 376 Efljhq32.exe 2828 Elibpg32.exe 2664 Eafkhn32.exe 936 Eimcjl32.exe 2252 Fahhnn32.exe 772 Fdgdji32.exe 2216 Fhbpkh32.exe 2420 Flnlkgjq.exe 1232 Fggmldfp.exe 1836 Fooembgb.exe 1868 Fhgifgnb.exe 1840 Fgjjad32.exe 2396 Fmdbnnlj.exe 1376 Fdnjkh32.exe 2036 Fglfgd32.exe 2356 Fkhbgbkc.exe 2348 Fijbco32.exe 2644 Fliook32.exe 2528 Fpdkpiik.exe 2600 Fccglehn.exe 1596 Fgocmc32.exe 2560 Fimoiopk.exe 1664 Gmhkin32.exe 2364 Gpggei32.exe 2848 Gcedad32.exe 1628 Ggapbcne.exe 592 Giolnomh.exe 2200 Ghbljk32.exe 2432 Gpidki32.exe 2968 Gcgqgd32.exe 960 Gefmcp32.exe 1488 Ghdiokbq.exe 2392 Gkcekfad.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeBkbdabog.exeCcnifd32.exeCmfmojcb.exeCfoaho32.exeCnejim32.exeCcbbachm.exeCgnnab32.exeCqfbjhgf.exeCbgobp32.exeCiagojda.exeCkpckece.exeCehhdkjf.exeCkbpqe32.exeDfhdnn32.exeDifqji32.exeDboeco32.exeDaaenlng.exeDjjjga32.exeDbabho32.exeDadbdkld.exeDlifadkk.exeDhpgfeao.exeDjocbqpb.exeDcghkf32.exeEfedga32.exeEjaphpnp.exeEakhdj32.exeEblelb32.exeEjcmmp32.exeEmdeok32.exeEpbbkf32.exepid process 3020 Backdoor.Win32.Padodor.SK.exe 3020 Backdoor.Win32.Padodor.SK.exe 2768 Bkbdabog.exe 2768 Bkbdabog.exe 540 Ccnifd32.exe 540 Ccnifd32.exe 2584 Cmfmojcb.exe 2584 Cmfmojcb.exe 2556 Cfoaho32.exe 2556 Cfoaho32.exe 2608 Cnejim32.exe 2608 Cnejim32.exe 1716 Ccbbachm.exe 1716 Ccbbachm.exe 2284 Cgnnab32.exe 2284 Cgnnab32.exe 2744 Cqfbjhgf.exe 2744 Cqfbjhgf.exe 2904 Cbgobp32.exe 2904 Cbgobp32.exe 1316 Ciagojda.exe 1316 Ciagojda.exe 2232 Ckpckece.exe 2232 Ckpckece.exe 796 Cehhdkjf.exe 796 Cehhdkjf.exe 1956 Ckbpqe32.exe 1956 Ckbpqe32.exe 1876 Dfhdnn32.exe 1876 Dfhdnn32.exe 2932 Difqji32.exe 2932 Difqji32.exe 2384 Dboeco32.exe 2384 Dboeco32.exe 1604 Daaenlng.exe 1604 Daaenlng.exe 888 Djjjga32.exe 888 Djjjga32.exe 2212 Dbabho32.exe 2212 Dbabho32.exe 2520 Dadbdkld.exe 2520 Dadbdkld.exe 1712 Dlifadkk.exe 1712 Dlifadkk.exe 2220 Dhpgfeao.exe 2220 Dhpgfeao.exe 2056 Djocbqpb.exe 2056 Djocbqpb.exe 1964 Dcghkf32.exe 1964 Dcghkf32.exe 2504 Efedga32.exe 2504 Efedga32.exe 2784 Ejaphpnp.exe 2784 Ejaphpnp.exe 2748 Eakhdj32.exe 2748 Eakhdj32.exe 1748 Eblelb32.exe 1748 Eblelb32.exe 2616 Ejcmmp32.exe 2616 Ejcmmp32.exe 2736 Emdeok32.exe 2736 Emdeok32.exe 2072 Epbbkf32.exe 2072 Epbbkf32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fdnjkh32.exeJapciodd.exeMgjpaj32.exeMdmmhn32.exeDqfabdaf.exeFeipbefb.exeNoagjc32.exeLpqlemaj.exeJfjhbo32.exeEbcmfj32.exeDkmljcdh.exeLolofd32.exeNjhbabif.exePcbookpp.exeFappgflg.exeIfengpdh.exeQbobaf32.exeDinpnged.exeLpaehl32.exeMeljbqna.exeLjbipolj.exeFgjjad32.exeBjbqmi32.exeDkeoongd.exeNloachkf.exeOjpaeq32.exeHlhddh32.exeFaijggao.exeKapohbfp.exeFnmjpk32.exePildgl32.exeNldahn32.exeLofkoamf.exeMjilmejf.exePfnhkq32.exeHcdifa32.exeAjnqphhe.exeDlboca32.exeKjhfjpdd.exeJgbjjf32.exeLgnjke32.exeHpnlndkp.exeKeoabo32.exeBdckobhd.exePjhnqfla.exeBoobki32.exeOibohdmd.exeObmpgjbb.exeLkbpke32.exeLiblfl32.exeLidgcclp.exeJgmaog32.exeJahbmlil.exeDfbqgldn.exeClkicbfa.exeNfdfmfle.exePfeeff32.exeKccgheib.exeCcnifd32.exeBapfhg32.exeKhagijcd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Fglfgd32.exe Fdnjkh32.exe File created C:\Windows\SysWOW64\Jcnoejch.exe Japciodd.exe File opened for modification C:\Windows\SysWOW64\Mjilmejf.exe Mgjpaj32.exe File opened for modification C:\Windows\SysWOW64\Mldeik32.exe Mdmmhn32.exe File created C:\Windows\SysWOW64\Hclemh32.dll Dqfabdaf.exe File created C:\Windows\SysWOW64\Fhglop32.exe Feipbefb.exe File created C:\Windows\SysWOW64\Cidffnka.dll Noagjc32.exe File created C:\Windows\SysWOW64\Agpqch32.dll Lpqlemaj.exe File opened for modification C:\Windows\SysWOW64\Jihdnk32.exe Jfjhbo32.exe File opened for modification C:\Windows\SysWOW64\Efoifiep.exe Ebcmfj32.exe File opened for modification C:\Windows\SysWOW64\Dphhka32.exe Dkmljcdh.exe File created C:\Windows\SysWOW64\Lajkbp32.exe Lolofd32.exe File created C:\Windows\SysWOW64\Omfnnnhj.exe Njhbabif.exe File created C:\Windows\SysWOW64\Pbepkh32.exe Pcbookpp.exe File opened for modification C:\Windows\SysWOW64\Fdnlcakk.exe Fappgflg.exe File created C:\Windows\SysWOW64\Iickckcl.exe Ifengpdh.exe File created C:\Windows\SysWOW64\Qemomb32.exe Qbobaf32.exe File created C:\Windows\SysWOW64\Gjlnjmna.dll Dinpnged.exe File created C:\Windows\SysWOW64\Pjnpoh32.dll Lpaehl32.exe File opened for modification C:\Windows\SysWOW64\Mhkfnlme.exe Meljbqna.exe File created C:\Windows\SysWOW64\Lmpeljkm.exe Ljbipolj.exe File created C:\Windows\SysWOW64\Fmdbnnlj.exe Fgjjad32.exe File created C:\Windows\SysWOW64\Blqmid32.exe Bjbqmi32.exe File opened for modification C:\Windows\SysWOW64\Dnckki32.exe Dkeoongd.exe File created C:\Windows\SysWOW64\Nkaane32.exe Nloachkf.exe File created C:\Windows\SysWOW64\Pjeimkch.dll Ojpaeq32.exe File created C:\Windows\SysWOW64\Hpcpdfhj.exe Hlhddh32.exe File opened for modification C:\Windows\SysWOW64\Fedfgejh.exe Faijggao.exe File created C:\Windows\SysWOW64\Kdnkdmec.exe Kapohbfp.exe File created C:\Windows\SysWOW64\Dhfljfho.dll Fnmjpk32.exe File created C:\Windows\SysWOW64\Pgodcich.exe Pildgl32.exe File created C:\Windows\SysWOW64\Bmnofp32.exe File created C:\Windows\SysWOW64\Cnfnhaca.dll Nldahn32.exe File created C:\Windows\SysWOW64\Cccdlddl.dll Lofkoamf.exe File opened for modification C:\Windows\SysWOW64\Mqbejp32.exe Mjilmejf.exe File created C:\Windows\SysWOW64\Mhcqcl32.dll Pfnhkq32.exe File created C:\Windows\SysWOW64\Eojkndbh.dll Hcdifa32.exe File created C:\Windows\SysWOW64\Ammmlcgi.exe Ajnqphhe.exe File created C:\Windows\SysWOW64\Bjcmdmiq.dll Dlboca32.exe File created C:\Windows\SysWOW64\Kbpnkm32.exe Kjhfjpdd.exe File created C:\Windows\SysWOW64\Jjpgfbom.exe Jgbjjf32.exe File opened for modification C:\Windows\SysWOW64\Lkifkdjm.exe Lgnjke32.exe File opened for modification C:\Windows\SysWOW64\Hclhjpjc.exe Hpnlndkp.exe File created C:\Windows\SysWOW64\Kmficl32.exe Keoabo32.exe File created C:\Windows\SysWOW64\Ofkbipak.dll Bdckobhd.exe File created C:\Windows\SysWOW64\Kigpbioo.dll Pjhnqfla.exe File created C:\Windows\SysWOW64\Camnge32.exe Boobki32.exe File opened for modification C:\Windows\SysWOW64\Oaigib32.exe Oibohdmd.exe File created C:\Windows\SysWOW64\Blibpj32.dll Obmpgjbb.exe File created C:\Windows\SysWOW64\Nmcmif32.dll Lgnjke32.exe File opened for modification C:\Windows\SysWOW64\Lmalgq32.exe Lkbpke32.exe File created C:\Windows\SysWOW64\Cnkgnb32.dll Liblfl32.exe File opened for modification C:\Windows\SysWOW64\Llbconkd.exe Lidgcclp.exe File created C:\Windows\SysWOW64\Jjlmkb32.exe Jgmaog32.exe File created C:\Windows\SysWOW64\Jecnnk32.exe Jahbmlil.exe File created C:\Windows\SysWOW64\Diqmcgca.exe Dfbqgldn.exe File created C:\Windows\SysWOW64\Kglenb32.dll Clkicbfa.exe File created C:\Windows\SysWOW64\Nmnojp32.exe Nfdfmfle.exe File created C:\Windows\SysWOW64\Pehebbbh.exe Pfeeff32.exe File created C:\Windows\SysWOW64\Dplclg32.dll Kccgheib.exe File created C:\Windows\SysWOW64\Cmfmojcb.exe Ccnifd32.exe File created C:\Windows\SysWOW64\Fbkanohh.dll Bapfhg32.exe File created C:\Windows\SysWOW64\Najeid32.dll Khagijcd.exe File opened for modification C:\Windows\SysWOW64\Camnge32.exe Boobki32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ncamen32.exeNckmpicl.exeKgocid32.exeJllqplnp.exeCgdqpq32.exeDbgdgm32.exeGlfgnh32.exeLdkdckff.exeDochelmj.exeMebpakbq.exeNmnojp32.exeAljmbknm.exeMkohjbah.exeLlgljn32.exeMnblhddb.exeOkpdjjil.exeJefbnacn.exeBabbng32.exeDnpebj32.exeLcmklh32.exeHcjilgdb.exeLolofd32.exeEpbbkf32.exePhcleoho.exeBcflko32.exeBpjldc32.exeFhmldfdm.exeNldahn32.exeEnmnahnm.exeHdbbnd32.exeGiolnomh.exeEjaphpnp.exeFappgflg.exeGefmcp32.exeEinlmkhp.exeHajfgnjc.exeOehicoom.exeAjldkhjh.exeAmgjnepn.exePnfpjc32.exeMiiofn32.exeEkghcq32.exeLjbipolj.exeOnipqp32.exeOpodknco.exeEinebddd.exeOekmceaf.exeCfknhi32.exeFfgfancd.exeAhngomkd.exeIogpag32.exeDfngll32.exeLdgnklmi.exeEhmpeb32.exeJcfgoadd.exeNkobpmlo.exeEbockkal.exeOcclcg32.exeAlbjnplq.exeFelcbk32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncamen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckmpicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgocid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdqpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgdgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkdckff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dochelmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohjbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnblhddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpdjjil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babbng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolofd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcleoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcflko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmldfdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmnahnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbbnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejaphpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fappgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einlmkhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehicoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajldkhjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgjnepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfpjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekghcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbipolj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opodknco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einebddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekmceaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffgfancd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfngll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnklmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmpeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfgoadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkobpmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebockkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albjnplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felcbk32.exe -
Modifies registry class 64 IoCs
Processes:
Nanfqo32.exeGiolnomh.exeNcamen32.exeEhmpeb32.exeKgdgpfnf.exeFappgflg.exeAbgaeddg.exeNkobpmlo.exeHeqimm32.exeLmhbgpia.exeAdblnnbk.exeOfgbkacb.exeLidgcclp.exeOkhefl32.exeOjkeah32.exeBapfhg32.exeFegjgkla.exePnnmeh32.exeQfikod32.exeAmjiln32.exeCkbpqe32.exePllkpn32.exeGmidlmcd.exeKkefoc32.exeFkkhpadq.exeGigkbm32.exeCamnge32.exeJgjmoace.exeKjmoeo32.exeMfpmbf32.exeDphhka32.exeEpkepakn.exeCffjagko.exeHmfmkjdf.exeLlcehg32.exeEafkhn32.exeOekehomj.exeHekefkig.exeLbagpp32.exeBkkgfm32.exeBjpdhifk.exeIoiidfon.exeKbpefc32.exeLiibgkoo.exeJipaip32.exeHhoeii32.exeGpgjnbnl.exeLepclldc.exeHjaeba32.exeOpjkpo32.exeHdefnjkj.exeBimphc32.exeFikelhib.exeJkkjeeke.exePbpoebgc.exeKoibpd32.exeJnagmc32.exeMkdbea32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nanfqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giolnomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncamen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhfhec32.dll" Kgdgpfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipfpcm.dll" Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkobpmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heqimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmhbgpia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdpcpjb.dll" Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll" Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okhefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojkeah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkanohh.dll" Bapfhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fegjgkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnnmeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfikod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgfpp32.dll" Amjiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgmpqdg.dll" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldknflmi.dll" Pllkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiihig32.dll" Kkefoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inipeafi.dll" Fkkhpadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gigkbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dangeigl.dll" Camnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poajppaa.dll" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looepoee.dll" Mfpmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limaha32.dll" Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epkepakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhnbelc.dll" Hmfmkjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeapidjc.dll" Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkcojhgk.dll" Oekehomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkkgfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjpdhifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlmpmai.dll" Kbpefc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll" Jipaip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfpmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblknlpo.dll" Hhoeii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpgjnbnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lepclldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjaeba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opjkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dehdbhgg.dll" Hdefnjkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgaajh32.dll" Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fikelhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgekcjh.dll" Jkkjeeke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbpoebgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koibpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll" Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkdbea32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeBkbdabog.exeCcnifd32.exeCmfmojcb.exeCfoaho32.exeCnejim32.exeCcbbachm.exeCgnnab32.exeCqfbjhgf.exeCbgobp32.exeCiagojda.exeCkpckece.exeCehhdkjf.exeCkbpqe32.exeDfhdnn32.exeDifqji32.exedescription pid process target process PID 3020 wrote to memory of 2768 3020 Backdoor.Win32.Padodor.SK.exe Bkbdabog.exe PID 3020 wrote to memory of 2768 3020 Backdoor.Win32.Padodor.SK.exe Bkbdabog.exe PID 3020 wrote to memory of 2768 3020 Backdoor.Win32.Padodor.SK.exe Bkbdabog.exe PID 3020 wrote to memory of 2768 3020 Backdoor.Win32.Padodor.SK.exe Bkbdabog.exe PID 2768 wrote to memory of 540 2768 Bkbdabog.exe Ccnifd32.exe PID 2768 wrote to memory of 540 2768 Bkbdabog.exe Ccnifd32.exe PID 2768 wrote to memory of 540 2768 Bkbdabog.exe Ccnifd32.exe PID 2768 wrote to memory of 540 2768 Bkbdabog.exe Ccnifd32.exe PID 540 wrote to memory of 2584 540 Ccnifd32.exe Cmfmojcb.exe PID 540 wrote to memory of 2584 540 Ccnifd32.exe Cmfmojcb.exe PID 540 wrote to memory of 2584 540 Ccnifd32.exe Cmfmojcb.exe PID 540 wrote to memory of 2584 540 Ccnifd32.exe Cmfmojcb.exe PID 2584 wrote to memory of 2556 2584 Cmfmojcb.exe Cfoaho32.exe PID 2584 wrote to memory of 2556 2584 Cmfmojcb.exe Cfoaho32.exe PID 2584 wrote to memory of 2556 2584 Cmfmojcb.exe Cfoaho32.exe PID 2584 wrote to memory of 2556 2584 Cmfmojcb.exe Cfoaho32.exe PID 2556 wrote to memory of 2608 2556 Cfoaho32.exe Cnejim32.exe PID 2556 wrote to memory of 2608 2556 Cfoaho32.exe Cnejim32.exe PID 2556 wrote to memory of 2608 2556 Cfoaho32.exe Cnejim32.exe PID 2556 wrote to memory of 2608 2556 Cfoaho32.exe Cnejim32.exe PID 2608 wrote to memory of 1716 2608 Cnejim32.exe Ccbbachm.exe PID 2608 wrote to memory of 1716 2608 Cnejim32.exe Ccbbachm.exe PID 2608 wrote to memory of 1716 2608 Cnejim32.exe Ccbbachm.exe PID 2608 wrote to memory of 1716 2608 Cnejim32.exe Ccbbachm.exe PID 1716 wrote to memory of 2284 1716 Ccbbachm.exe Cgnnab32.exe PID 1716 wrote to memory of 2284 1716 Ccbbachm.exe Cgnnab32.exe PID 1716 wrote to memory of 2284 1716 Ccbbachm.exe Cgnnab32.exe PID 1716 wrote to memory of 2284 1716 Ccbbachm.exe Cgnnab32.exe PID 2284 wrote to memory of 2744 2284 Cgnnab32.exe Cqfbjhgf.exe PID 2284 wrote to memory of 2744 2284 Cgnnab32.exe Cqfbjhgf.exe PID 2284 wrote to memory of 2744 2284 Cgnnab32.exe Cqfbjhgf.exe PID 2284 wrote to memory of 2744 2284 Cgnnab32.exe Cqfbjhgf.exe PID 2744 wrote to memory of 2904 2744 Cqfbjhgf.exe Cbgobp32.exe PID 2744 wrote to memory of 2904 2744 Cqfbjhgf.exe Cbgobp32.exe PID 2744 wrote to memory of 2904 2744 Cqfbjhgf.exe Cbgobp32.exe PID 2744 wrote to memory of 2904 2744 Cqfbjhgf.exe Cbgobp32.exe PID 2904 wrote to memory of 1316 2904 Cbgobp32.exe Ciagojda.exe PID 2904 wrote to memory of 1316 2904 Cbgobp32.exe Ciagojda.exe PID 2904 wrote to memory of 1316 2904 Cbgobp32.exe Ciagojda.exe PID 2904 wrote to memory of 1316 2904 Cbgobp32.exe Ciagojda.exe PID 1316 wrote to memory of 2232 1316 Ciagojda.exe Ckpckece.exe PID 1316 wrote to memory of 2232 1316 Ciagojda.exe Ckpckece.exe PID 1316 wrote to memory of 2232 1316 Ciagojda.exe Ckpckece.exe PID 1316 wrote to memory of 2232 1316 Ciagojda.exe Ckpckece.exe PID 2232 wrote to memory of 796 2232 Ckpckece.exe Cehhdkjf.exe PID 2232 wrote to memory of 796 2232 Ckpckece.exe Cehhdkjf.exe PID 2232 wrote to memory of 796 2232 Ckpckece.exe Cehhdkjf.exe PID 2232 wrote to memory of 796 2232 Ckpckece.exe Cehhdkjf.exe PID 796 wrote to memory of 1956 796 Cehhdkjf.exe Ckbpqe32.exe PID 796 wrote to memory of 1956 796 Cehhdkjf.exe Ckbpqe32.exe PID 796 wrote to memory of 1956 796 Cehhdkjf.exe Ckbpqe32.exe PID 796 wrote to memory of 1956 796 Cehhdkjf.exe Ckbpqe32.exe PID 1956 wrote to memory of 1876 1956 Ckbpqe32.exe Dfhdnn32.exe PID 1956 wrote to memory of 1876 1956 Ckbpqe32.exe Dfhdnn32.exe PID 1956 wrote to memory of 1876 1956 Ckbpqe32.exe Dfhdnn32.exe PID 1956 wrote to memory of 1876 1956 Ckbpqe32.exe Dfhdnn32.exe PID 1876 wrote to memory of 2932 1876 Dfhdnn32.exe Difqji32.exe PID 1876 wrote to memory of 2932 1876 Dfhdnn32.exe Difqji32.exe PID 1876 wrote to memory of 2932 1876 Dfhdnn32.exe Difqji32.exe PID 1876 wrote to memory of 2932 1876 Dfhdnn32.exe Difqji32.exe PID 2932 wrote to memory of 2384 2932 Difqji32.exe Dboeco32.exe PID 2932 wrote to memory of 2384 2932 Difqji32.exe Dboeco32.exe PID 2932 wrote to memory of 2384 2932 Difqji32.exe Dboeco32.exe PID 2932 wrote to memory of 2384 2932 Difqji32.exe Dboeco32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Cfoaho32.exeC:\Windows\system32\Cfoaho32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ccbbachm.exeC:\Windows\system32\Ccbbachm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Cgnnab32.exeC:\Windows\system32\Cgnnab32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Ciagojda.exeC:\Windows\system32\Ciagojda.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Ckpckece.exeC:\Windows\system32\Ckpckece.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Dfhdnn32.exeC:\Windows\system32\Dfhdnn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Daaenlng.exeC:\Windows\system32\Daaenlng.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Dadbdkld.exeC:\Windows\system32\Dadbdkld.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Dhpgfeao.exeC:\Windows\system32\Dhpgfeao.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Dcghkf32.exeC:\Windows\system32\Dcghkf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Efedga32.exeC:\Windows\system32\Efedga32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Eblelb32.exeC:\Windows\system32\Eblelb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Ejcmmp32.exeC:\Windows\system32\Ejcmmp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe33⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe34⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Eafkhn32.exeC:\Windows\system32\Eafkhn32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe36⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe37⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Fdgdji32.exeC:\Windows\system32\Fdgdji32.exe38⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Fhbpkh32.exeC:\Windows\system32\Fhbpkh32.exe39⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe40⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe41⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Fooembgb.exeC:\Windows\system32\Fooembgb.exe42⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe43⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Fgjjad32.exeC:\Windows\system32\Fgjjad32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Fmdbnnlj.exeC:\Windows\system32\Fmdbnnlj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Fdnjkh32.exeC:\Windows\system32\Fdnjkh32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe47⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe48⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Fijbco32.exeC:\Windows\system32\Fijbco32.exe49⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe50⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Fpdkpiik.exeC:\Windows\system32\Fpdkpiik.exe51⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Fccglehn.exeC:\Windows\system32\Fccglehn.exe52⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Fgocmc32.exeC:\Windows\system32\Fgocmc32.exe53⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Fimoiopk.exeC:\Windows\system32\Fimoiopk.exe54⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe55⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Gpggei32.exeC:\Windows\system32\Gpggei32.exe56⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe57⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ggapbcne.exeC:\Windows\system32\Ggapbcne.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Giolnomh.exeC:\Windows\system32\Giolnomh.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Ghbljk32.exeC:\Windows\system32\Ghbljk32.exe60⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Gpidki32.exeC:\Windows\system32\Gpidki32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Gcgqgd32.exeC:\Windows\system32\Gcgqgd32.exe62⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Ghdiokbq.exeC:\Windows\system32\Ghdiokbq.exe64⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe65⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe66⤵PID:1696
-
C:\Windows\SysWOW64\Gehiioaj.exeC:\Windows\system32\Gehiioaj.exe67⤵PID:1700
-
C:\Windows\SysWOW64\Ghgfekpn.exeC:\Windows\system32\Ghgfekpn.exe68⤵PID:1600
-
C:\Windows\SysWOW64\Gkebafoa.exeC:\Windows\system32\Gkebafoa.exe69⤵PID:2568
-
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe70⤵PID:2872
-
C:\Windows\SysWOW64\Gekfnoog.exeC:\Windows\system32\Gekfnoog.exe71⤵PID:2444
-
C:\Windows\SysWOW64\Ghibjjnk.exeC:\Windows\system32\Ghibjjnk.exe72⤵PID:2236
-
C:\Windows\SysWOW64\Gockgdeh.exeC:\Windows\system32\Gockgdeh.exe73⤵PID:1152
-
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe74⤵PID:556
-
C:\Windows\SysWOW64\Gqdgom32.exeC:\Windows\system32\Gqdgom32.exe75⤵PID:1320
-
C:\Windows\SysWOW64\Hhkopj32.exeC:\Windows\system32\Hhkopj32.exe76⤵PID:2920
-
C:\Windows\SysWOW64\Hgnokgcc.exeC:\Windows\system32\Hgnokgcc.exe77⤵PID:968
-
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe78⤵PID:1056
-
C:\Windows\SysWOW64\Hnhgha32.exeC:\Windows\system32\Hnhgha32.exe79⤵PID:2368
-
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe80⤵PID:1648
-
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe81⤵PID:828
-
C:\Windows\SysWOW64\Hklhae32.exeC:\Windows\system32\Hklhae32.exe82⤵PID:1784
-
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe83⤵PID:608
-
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe84⤵PID:1060
-
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe85⤵PID:2080
-
C:\Windows\SysWOW64\Hgciff32.exeC:\Windows\system32\Hgciff32.exe86⤵PID:2860
-
C:\Windows\SysWOW64\Hjaeba32.exeC:\Windows\system32\Hjaeba32.exe87⤵
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Hmpaom32.exeC:\Windows\system32\Hmpaom32.exe88⤵PID:2636
-
C:\Windows\SysWOW64\Hcjilgdb.exeC:\Windows\system32\Hcjilgdb.exe89⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Hgeelf32.exeC:\Windows\system32\Hgeelf32.exe90⤵PID:2840
-
C:\Windows\SysWOW64\Hfhfhbce.exeC:\Windows\system32\Hfhfhbce.exe91⤵PID:2852
-
C:\Windows\SysWOW64\Hifbdnbi.exeC:\Windows\system32\Hifbdnbi.exe92⤵PID:2380
-
C:\Windows\SysWOW64\Hmbndmkb.exeC:\Windows\system32\Hmbndmkb.exe93⤵PID:404
-
C:\Windows\SysWOW64\Hclfag32.exeC:\Windows\system32\Hclfag32.exe94⤵PID:2028
-
C:\Windows\SysWOW64\Hbofmcij.exeC:\Windows\system32\Hbofmcij.exe95⤵PID:1000
-
C:\Windows\SysWOW64\Hiioin32.exeC:\Windows\system32\Hiioin32.exe96⤵PID:1528
-
C:\Windows\SysWOW64\Hmdkjmip.exeC:\Windows\system32\Hmdkjmip.exe97⤵PID:3068
-
C:\Windows\SysWOW64\Iocgfhhc.exeC:\Windows\system32\Iocgfhhc.exe98⤵PID:2772
-
C:\Windows\SysWOW64\Ibacbcgg.exeC:\Windows\system32\Ibacbcgg.exe99⤵PID:1584
-
C:\Windows\SysWOW64\Ieponofk.exeC:\Windows\system32\Ieponofk.exe100⤵PID:2308
-
C:\Windows\SysWOW64\Ikjhki32.exeC:\Windows\system32\Ikjhki32.exe101⤵PID:2124
-
C:\Windows\SysWOW64\Inhdgdmk.exeC:\Windows\system32\Inhdgdmk.exe102⤵PID:2000
-
C:\Windows\SysWOW64\Ibcphc32.exeC:\Windows\system32\Ibcphc32.exe103⤵PID:2632
-
C:\Windows\SysWOW64\Iinhdmma.exeC:\Windows\system32\Iinhdmma.exe104⤵PID:1096
-
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe105⤵PID:824
-
C:\Windows\SysWOW64\Iogpag32.exeC:\Windows\system32\Iogpag32.exe106⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Injqmdki.exeC:\Windows\system32\Injqmdki.exe107⤵PID:1180
-
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe108⤵PID:2972
-
C:\Windows\SysWOW64\Iipejmko.exeC:\Windows\system32\Iipejmko.exe109⤵PID:1520
-
C:\Windows\SysWOW64\Iknafhjb.exeC:\Windows\system32\Iknafhjb.exe110⤵PID:972
-
C:\Windows\SysWOW64\Inmmbc32.exeC:\Windows\system32\Inmmbc32.exe111⤵PID:748
-
C:\Windows\SysWOW64\Iakino32.exeC:\Windows\system32\Iakino32.exe112⤵PID:1548
-
C:\Windows\SysWOW64\Igebkiof.exeC:\Windows\system32\Igebkiof.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe114⤵PID:2176
-
C:\Windows\SysWOW64\Iamfdo32.exeC:\Windows\system32\Iamfdo32.exe115⤵PID:1452
-
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Jfjolf32.exeC:\Windows\system32\Jfjolf32.exe117⤵PID:2428
-
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe118⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Japciodd.exeC:\Windows\system32\Japciodd.exe119⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Jcnoejch.exeC:\Windows\system32\Jcnoejch.exe120⤵PID:560
-
C:\Windows\SysWOW64\Jfmkbebl.exeC:\Windows\system32\Jfmkbebl.exe121⤵PID:2312
-
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe122⤵PID:2612
-
C:\Windows\SysWOW64\Jpepkk32.exeC:\Windows\system32\Jpepkk32.exe123⤵PID:1808
-
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe124⤵PID:264
-
C:\Windows\SysWOW64\Jimdcqom.exeC:\Windows\system32\Jimdcqom.exe125⤵PID:1640
-
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe126⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe127⤵PID:1756
-
C:\Windows\SysWOW64\Jedehaea.exeC:\Windows\system32\Jedehaea.exe128⤵PID:2336
-
C:\Windows\SysWOW64\Jipaip32.exeC:\Windows\system32\Jipaip32.exe129⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe130⤵PID:1580
-
C:\Windows\SysWOW64\Jnmiag32.exeC:\Windows\system32\Jnmiag32.exe131⤵PID:2836
-
C:\Windows\SysWOW64\Jefbnacn.exeC:\Windows\system32\Jefbnacn.exe132⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe133⤵PID:2976
-
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe134⤵PID:272
-
C:\Windows\SysWOW64\Kidjdpie.exeC:\Windows\system32\Kidjdpie.exe135⤵PID:2652
-
C:\Windows\SysWOW64\Kapohbfp.exeC:\Windows\system32\Kapohbfp.exe136⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe137⤵PID:1192
-
C:\Windows\SysWOW64\Khjgel32.exeC:\Windows\system32\Khjgel32.exe138⤵PID:3060
-
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe139⤵PID:1416
-
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe140⤵PID:2304
-
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe141⤵PID:1812
-
C:\Windows\SysWOW64\Kkjpggkn.exeC:\Windows\system32\Kkjpggkn.exe142⤵PID:1940
-
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe143⤵PID:288
-
C:\Windows\SysWOW64\Khnapkjg.exeC:\Windows\system32\Khnapkjg.exe144⤵PID:684
-
C:\Windows\SysWOW64\Kkmmlgik.exeC:\Windows\system32\Kkmmlgik.exe145⤵PID:1880
-
C:\Windows\SysWOW64\Kmkihbho.exeC:\Windows\system32\Kmkihbho.exe146⤵PID:2892
-
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe147⤵PID:2820
-
C:\Windows\SysWOW64\Kgcnahoo.exeC:\Windows\system32\Kgcnahoo.exe148⤵PID:2436
-
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe150⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe151⤵
- Drops file in System32 directory
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Llbconkd.exeC:\Windows\system32\Llbconkd.exe152⤵PID:2324
-
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe153⤵PID:2576
-
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe154⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe155⤵PID:2832
-
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe156⤵PID:2928
-
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe157⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Loclai32.exeC:\Windows\system32\Loclai32.exe158⤵PID:2944
-
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe159⤵PID:2688
-
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe160⤵PID:2916
-
C:\Windows\SysWOW64\Llgljn32.exeC:\Windows\system32\Llgljn32.exe161⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Lkjmfjmi.exeC:\Windows\system32\Lkjmfjmi.exe162⤵PID:2564
-
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe163⤵PID:1476
-
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe164⤵PID:2148
-
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe165⤵PID:1992
-
C:\Windows\SysWOW64\Lhnmoo32.exeC:\Windows\system32\Lhnmoo32.exe166⤵PID:2068
-
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe167⤵PID:2696
-
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe168⤵PID:1976
-
C:\Windows\SysWOW64\Mebnic32.exeC:\Windows\system32\Mebnic32.exe169⤵PID:2756
-
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe170⤵PID:2588
-
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe171⤵PID:1804
-
C:\Windows\SysWOW64\Mojbaham.exeC:\Windows\system32\Mojbaham.exe172⤵PID:2716
-
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe173⤵PID:2004
-
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe174⤵PID:2196
-
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe175⤵PID:1248
-
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe176⤵PID:2580
-
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe177⤵PID:3028
-
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe178⤵PID:3080
-
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe179⤵PID:3120
-
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe180⤵PID:3160
-
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe181⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe182⤵PID:3240
-
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe183⤵PID:3280
-
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe184⤵
- Drops file in System32 directory
PID:3320 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe185⤵
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3400 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe187⤵PID:3440
-
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe188⤵
- Modifies registry class
PID:3480 -
C:\Windows\SysWOW64\Mjkibehc.exeC:\Windows\system32\Mjkibehc.exe189⤵PID:3520
-
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3560 -
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe191⤵PID:3600
-
C:\Windows\SysWOW64\Nbfnggeo.exeC:\Windows\system32\Nbfnggeo.exe192⤵PID:3640
-
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe193⤵PID:3680
-
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe194⤵PID:3720
-
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe195⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe196⤵PID:3800
-
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe197⤵PID:3840
-
C:\Windows\SysWOW64\Nfdfmfle.exeC:\Windows\system32\Nfdfmfle.exe198⤵
- Drops file in System32 directory
PID:3880 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe199⤵
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe200⤵PID:3960
-
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe201⤵PID:4000
-
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe202⤵PID:4044
-
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe203⤵PID:4084
-
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe204⤵PID:688
-
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe205⤵PID:3152
-
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe206⤵PID:3196
-
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe207⤵PID:3260
-
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe208⤵PID:3296
-
C:\Windows\SysWOW64\Nkehql32.exeC:\Windows\system32\Nkehql32.exe209⤵PID:3344
-
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe210⤵PID:3388
-
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe211⤵PID:3412
-
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe212⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe213⤵
- Modifies registry class
PID:3548 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe214⤵
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe215⤵PID:3648
-
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe216⤵PID:3696
-
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe217⤵PID:3748
-
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe218⤵PID:3784
-
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe219⤵PID:3852
-
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe220⤵PID:3816
-
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe221⤵
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe222⤵PID:3984
-
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe223⤵PID:4052
-
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe224⤵
- Drops file in System32 directory
PID:3076 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe225⤵PID:3128
-
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe226⤵PID:3112
-
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe227⤵PID:3216
-
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe228⤵PID:3328
-
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe229⤵PID:3396
-
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe230⤵
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe231⤵
- Drops file in System32 directory
PID:3516 -
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe232⤵
- System Location Discovery: System Language Discovery
PID:3512 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe233⤵PID:3632
-
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe234⤵PID:3692
-
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe235⤵PID:3700
-
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe236⤵PID:3768
-
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3900 -
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3936 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe239⤵PID:3972
-
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe240⤵PID:4012
-
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe241⤵PID:3104
-
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe242⤵PID:3132