Analysis
-
max time kernel
94s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 10:44
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
96KB
-
MD5
a3a0ed26851f7bd9f8fced1b490a9140
-
SHA1
f0e05a0934d5c9a773112831a5c80921752c190a
-
SHA256
d180298a88d1de82bbbe8dd429657487f4db3a5b14212619814b0e9f5a98456c
-
SHA512
9f17eb585c5f6155dadd1146d318f4c568f5040ebd2c2765dff8b45e8b52749919b64e71449d01221da3202323a44872306c655c5ac8f47ec768b3cc0683b1fb
-
SSDEEP
1536:sW0WYz2069/ynkVG9p+Bs9bHhbWt1orpDbY/42vnhrUQVoMdUT+irF:sQYaf/yX9wBs9bHhb21WDbYQanhr1Rhk
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eeffpn32.exeEfbbba32.exeEhbdif32.exeGdpkdf32.exeKqijck32.exeMnlilb32.exeKlgpmgod.exeCqqbgoba.exeEphhmn32.exeJpfehq32.exeKfbjjjci.exeLmolkg32.exeCfmceomm.exeNeemgp32.exeOebffm32.exeDndahokk.exeAnbaqfep.exeGgekhhle.exeCabldeik.exeGqkqbe32.exeNbegonmd.exeJnqanbcj.exeDdmohbln.exePmijgn32.exeMeafpibb.exeCgklma32.exeCpldjajo.exeGndebkii.exeLinoeccp.exeGokpgd32.exeCpccnp32.exeGcapckod.exeFdbibjok.exeElcbmn32.exeJjbgok32.exeHincna32.exeIanambhc.exeFlcjjdpe.exeCmimif32.exeHkiknb32.exePdnihiad.exeBhjngnod.exeIfoncgpc.exeBdhjfc32.exeQfdpgd32.exeChahin32.exeKcahjqfa.exeLccepqdo.exeJnaihhgf.exeAofhcmig.exeKfcmcckn.exePmpcoabe.exeDgehfodh.exeKlimcf32.exeCcgahe32.exeHahoodqi.exeJiiikq32.exeEcfcle32.exeFfahgn32.exeNcdciq32.exeCkilmfke.exeCdbqflae.exeEbccal32.exeCkdnpicb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeffpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efbbba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbdif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqijck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnlilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgpmgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqqbgoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbjjjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmolkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmceomm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neemgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebffm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndahokk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anbaqfep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggekhhle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabldeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbegonmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqanbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddmohbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmijgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meafpibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgklma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpldjajo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndebkii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linoeccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gokpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpccnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcapckod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbibjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elcbmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbgok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hincna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ianambhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flcjjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmimif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkiknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdnihiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhjngnod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifoncgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdhjfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfdpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chahin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lccepqdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaihhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aofhcmig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfcmcckn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpcoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgehfodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klimcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahoodqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiiikq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfcle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffahgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncdciq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmfke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbqflae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebccal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdnpicb.exe -
Executes dropped EXE 64 IoCs
Processes:
Cabldeik.exeCfoellgb.exeCmimif32.exeCbfeam32.exeDeikhhhe.exeDlepjbmo.exeDdqeodjj.exeDadehh32.exeEmncci32.exeEghdanac.exeEocieq32.exeFhnjdfcl.exeFgcgebhd.exeFkapkq32.exeFdjddf32.exeGndebkii.exeGgmjkapi.exeGjnbmlmj.exeGcfgfack.exeGdgcnj32.exeGfgpgmql.exeHqpahkmj.exeHkfeec32.exeHaejcj32.exeHgaoec32.exeHiblmldn.exeIlceog32.exeIenfml32.exeIaegbmlq.exeIecohl32.exeJdhlih32.exeJfkbqcam.exeJlhjijpe.exeJpfcohfk.exeKhhndi32.exeKpcbhlki.exeKjlgaa32.exeLjpqlqmd.exeLcieef32.exeLjejgp32.exeLbpolb32.exeLkhcdhmk.exeMbehgabe.exeMgaqohql.exeMnlilb32.exeMdeaim32.exeMjbiac32.exeMdhnnl32.exeMjeffc32.exeMpaoojjb.exeMflgkd32.exeNijcgp32.exeNcpgeh32.exeNlklik32.exeNecqbp32.exeNlmiojla.exeNeemgp32.exeNloedjin.exeNhffikob.exeOejgbonl.exeOnbkle32.exeOdoddlcd.exeOacdmpan.exeOfpmegpe.exepid process 2728 Cabldeik.exe 2868 Cfoellgb.exe 2164 Cmimif32.exe 2900 Cbfeam32.exe 2640 Deikhhhe.exe 3048 Dlepjbmo.exe 1756 Ddqeodjj.exe 1984 Dadehh32.exe 1076 Emncci32.exe 2120 Eghdanac.exe 2520 Eocieq32.exe 1992 Fhnjdfcl.exe 2256 Fgcgebhd.exe 2440 Fkapkq32.exe 2432 Fdjddf32.exe 2148 Gndebkii.exe 1768 Ggmjkapi.exe 2588 Gjnbmlmj.exe 1484 Gcfgfack.exe 600 Gdgcnj32.exe 1780 Gfgpgmql.exe 3004 Hqpahkmj.exe 3068 Hkfeec32.exe 2960 Haejcj32.exe 876 Hgaoec32.exe 2892 Hiblmldn.exe 1684 Ilceog32.exe 2752 Ienfml32.exe 2936 Iaegbmlq.exe 1656 Iecohl32.exe 2708 Jdhlih32.exe 3056 Jfkbqcam.exe 2268 Jlhjijpe.exe 1680 Jpfcohfk.exe 1092 Khhndi32.exe 2856 Kpcbhlki.exe 964 Kjlgaa32.exe 2988 Ljpqlqmd.exe 2052 Lcieef32.exe 2456 Ljejgp32.exe 2072 Lbpolb32.exe 976 Lkhcdhmk.exe 1352 Mbehgabe.exe 2168 Mgaqohql.exe 2580 Mnlilb32.exe 1528 Mdeaim32.exe 1652 Mjbiac32.exe 1736 Mdhnnl32.exe 2388 Mjeffc32.exe 1716 Mpaoojjb.exe 2976 Mflgkd32.exe 1192 Nijcgp32.exe 2912 Ncpgeh32.exe 2660 Nlklik32.exe 2800 Necqbp32.exe 2688 Nlmiojla.exe 1120 Neemgp32.exe 1980 Nloedjin.exe 2952 Nhffikob.exe 2420 Oejgbonl.exe 1800 Onbkle32.exe 2284 Ododdlcd.exe 264 Oacdmpan.exe 376 Ofpmegpe.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeCabldeik.exeCfoellgb.exeCmimif32.exeCbfeam32.exeDeikhhhe.exeDlepjbmo.exeDdqeodjj.exeDadehh32.exeEmncci32.exeEghdanac.exeEocieq32.exeFhnjdfcl.exeFgcgebhd.exeFkapkq32.exeFdjddf32.exeGndebkii.exeGgmjkapi.exeGjnbmlmj.exeGcfgfack.exeGdgcnj32.exeGfgpgmql.exeHqpahkmj.exeHkfeec32.exeHaejcj32.exeHgaoec32.exeHiblmldn.exeIlceog32.exeIenfml32.exeIaegbmlq.exeIecohl32.exeJdhlih32.exepid process 2716 Backdoor.Win32.Padodor.SK.exe 2716 Backdoor.Win32.Padodor.SK.exe 2728 Cabldeik.exe 2728 Cabldeik.exe 2868 Cfoellgb.exe 2868 Cfoellgb.exe 2164 Cmimif32.exe 2164 Cmimif32.exe 2900 Cbfeam32.exe 2900 Cbfeam32.exe 2640 Deikhhhe.exe 2640 Deikhhhe.exe 3048 Dlepjbmo.exe 3048 Dlepjbmo.exe 1756 Ddqeodjj.exe 1756 Ddqeodjj.exe 1984 Dadehh32.exe 1984 Dadehh32.exe 1076 Emncci32.exe 1076 Emncci32.exe 2120 Eghdanac.exe 2120 Eghdanac.exe 2520 Eocieq32.exe 2520 Eocieq32.exe 1992 Fhnjdfcl.exe 1992 Fhnjdfcl.exe 2256 Fgcgebhd.exe 2256 Fgcgebhd.exe 2440 Fkapkq32.exe 2440 Fkapkq32.exe 2432 Fdjddf32.exe 2432 Fdjddf32.exe 2148 Gndebkii.exe 2148 Gndebkii.exe 1768 Ggmjkapi.exe 1768 Ggmjkapi.exe 2588 Gjnbmlmj.exe 2588 Gjnbmlmj.exe 1484 Gcfgfack.exe 1484 Gcfgfack.exe 600 Gdgcnj32.exe 600 Gdgcnj32.exe 1780 Gfgpgmql.exe 1780 Gfgpgmql.exe 3004 Hqpahkmj.exe 3004 Hqpahkmj.exe 3068 Hkfeec32.exe 3068 Hkfeec32.exe 2960 Haejcj32.exe 2960 Haejcj32.exe 876 Hgaoec32.exe 876 Hgaoec32.exe 2892 Hiblmldn.exe 2892 Hiblmldn.exe 1684 Ilceog32.exe 1684 Ilceog32.exe 2752 Ienfml32.exe 2752 Ienfml32.exe 2936 Iaegbmlq.exe 2936 Iaegbmlq.exe 1656 Iecohl32.exe 1656 Iecohl32.exe 2708 Jdhlih32.exe 2708 Jdhlih32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mnakjaoc.exeDcaghm32.exeDbighojl.exeIobbfggm.exeBehpcefk.exeGfhikl32.exeJekoljgo.exeMeafpibb.exeApheke32.exeGpfbfh32.exeJbgdcapi.exeDjfagjai.exeBackdoor.Win32.Padodor.SK.exeFlkohc32.exeFjjeid32.exeAibfik32.exeKqijck32.exeJdhlih32.exeLolbjahp.exeOjlkonpb.exeElleai32.exePaqoef32.exeCefpmiji.exeOekaab32.exeKhhndi32.exeFkmhij32.exeGlajmppm.exeMnnhjk32.exeQfbcae32.exePhmiimlf.exeFcgdjmlo.exeHpehje32.exeOpohil32.exeEomfiobe.exeEhgoaiml.exeOoncljom.exeCjkcedgp.exeDippfplg.exeDkihli32.exeGnhlgoia.exeGgppdpif.exeKdgane32.exeMknaahhn.exeBbhgbj32.exeMnbpgb32.exeIkbndqnc.exeGmcmomjc.exeHadece32.exeBnfodojp.exeCdbqflae.exeDndahokk.exeKnnagehi.exeIhgcof32.exeBbnjphpe.exeGjahfkfg.exeCpcaeghc.exeMdkcgk32.exeQnmfmoaa.exeAanonj32.exeLhiodnob.exeNodikecl.exeBblpae32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Mdkcgk32.exe Mnakjaoc.exe File created C:\Windows\SysWOW64\Ephhmn32.exe Dcaghm32.exe File created C:\Windows\SysWOW64\Bnejjf32.dll Dbighojl.exe File created C:\Windows\SysWOW64\Iaqnbb32.exe Iobbfggm.exe File created C:\Windows\SysWOW64\Lhongdah.dll Behpcefk.exe File created C:\Windows\SysWOW64\Gmbagf32.exe Gfhikl32.exe File created C:\Windows\SysWOW64\Pfhofj32.dll Jekoljgo.exe File created C:\Windows\SysWOW64\Mdfcaegj.exe Meafpibb.exe File created C:\Windows\SysWOW64\Ahomlb32.exe Apheke32.exe File created C:\Windows\SysWOW64\Fkcingip.dll Gpfbfh32.exe File created C:\Windows\SysWOW64\Jnnehb32.exe Jbgdcapi.exe File created C:\Windows\SysWOW64\Idgegk32.dll Djfagjai.exe File created C:\Windows\SysWOW64\Cabldeik.exe Backdoor.Win32.Padodor.SK.exe File opened for modification C:\Windows\SysWOW64\Fcegdnna.exe Flkohc32.exe File opened for modification C:\Windows\SysWOW64\Fdbibjok.exe Fjjeid32.exe File created C:\Windows\SysWOW64\Bdhjfc32.exe Aibfik32.exe File opened for modification C:\Windows\SysWOW64\Kffblb32.exe Kqijck32.exe File created C:\Windows\SysWOW64\Jfkbqcam.exe Jdhlih32.exe File created C:\Windows\SysWOW64\Eipnnj32.dll Lolbjahp.exe File created C:\Windows\SysWOW64\Bkpdhc32.dll Ojlkonpb.exe File created C:\Windows\SysWOW64\Eedijo32.exe Elleai32.exe File opened for modification C:\Windows\SysWOW64\Pmgpjgph.exe Paqoef32.exe File created C:\Windows\SysWOW64\Cjopge32.dll Cefpmiji.exe File created C:\Windows\SysWOW64\Oifjjk32.dll Oekaab32.exe File opened for modification C:\Windows\SysWOW64\Kpcbhlki.exe Khhndi32.exe File opened for modification C:\Windows\SysWOW64\Febmfcjj.exe Fkmhij32.exe File created C:\Windows\SysWOW64\Laodbj32.dll Glajmppm.exe File opened for modification C:\Windows\SysWOW64\Mgglcqdk.exe Mnnhjk32.exe File created C:\Windows\SysWOW64\Qkolil32.exe Qfbcae32.exe File opened for modification C:\Windows\SysWOW64\Peaibajp.exe Phmiimlf.exe File created C:\Windows\SysWOW64\Oleiokho.dll Fcgdjmlo.exe File created C:\Windows\SysWOW64\Hhqmogam.exe Hpehje32.exe File opened for modification C:\Windows\SysWOW64\Oekaab32.exe Opohil32.exe File created C:\Windows\SysWOW64\Pnphenic.dll Eomfiobe.exe File created C:\Windows\SysWOW64\Epggabhd.dll Ehgoaiml.exe File opened for modification C:\Windows\SysWOW64\Ohfgeo32.exe Ooncljom.exe File created C:\Windows\SysWOW64\Fndcfjlj.dll Cjkcedgp.exe File opened for modification C:\Windows\SysWOW64\Dnmhogjo.exe Dippfplg.exe File created C:\Windows\SysWOW64\Pjiiggfq.dll Dkihli32.exe File created C:\Windows\SysWOW64\Gfcqkafl.exe Gnhlgoia.exe File created C:\Windows\SysWOW64\Gddpndhp.exe Ggppdpif.exe File opened for modification C:\Windows\SysWOW64\Kmpfgklo.exe Kdgane32.exe File created C:\Windows\SysWOW64\Mpkjjofe.exe Mknaahhn.exe File created C:\Windows\SysWOW64\Ppopgcbc.dll Bbhgbj32.exe File created C:\Windows\SysWOW64\Mcoioi32.exe Mnbpgb32.exe File created C:\Windows\SysWOW64\Kmlbeoba.dll Ikbndqnc.exe File created C:\Windows\SysWOW64\Femcap32.dll Gmcmomjc.exe File created C:\Windows\SysWOW64\Nogeln32.dll Hadece32.exe File created C:\Windows\SysWOW64\Ohfgeo32.exe Ooncljom.exe File created C:\Windows\SysWOW64\Bnhljnhm.exe Bnfodojp.exe File created C:\Windows\SysWOW64\Dnjeoa32.exe Cdbqflae.exe File created C:\Windows\SysWOW64\Lhpcanhb.dll Dndahokk.exe File created C:\Windows\SysWOW64\Ejidna32.dll Knnagehi.exe File created C:\Windows\SysWOW64\Iiiogoac.exe Ihgcof32.exe File created C:\Windows\SysWOW64\Iamnpbpo.dll Bbnjphpe.exe File created C:\Windows\SysWOW64\Dmmjim32.dll Gjahfkfg.exe File created C:\Windows\SysWOW64\Cgmiba32.exe Cpcaeghc.exe File created C:\Windows\SysWOW64\Mgjpcf32.exe Mdkcgk32.exe File opened for modification C:\Windows\SysWOW64\Ephhmn32.exe Dcaghm32.exe File created C:\Windows\SysWOW64\Cffebb32.dll Qnmfmoaa.exe File created C:\Windows\SysWOW64\Ppgked32.dll Aanonj32.exe File created C:\Windows\SysWOW64\Laacmc32.exe Lhiodnob.exe File created C:\Windows\SysWOW64\Jknfon32.dll Nodikecl.exe File created C:\Windows\SysWOW64\Bgihjl32.exe Bblpae32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4936 5004 WerFault.exe Dggcbf32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bofbih32.exeFabppo32.exeBaeanl32.exeEbccal32.exeOkmceiii.exeBkgqpjch.exeGaajfi32.exeMakmnh32.exeCpccnp32.exeNhffikob.exeDlfina32.exeEamdlf32.exeJbjejojn.exeIcidlf32.exeIbehna32.exeOhfgeo32.exeIhgcof32.exePieobaiq.exeAglhph32.exeChahin32.exeIijdfc32.exeEcklgdag.exeCclmlm32.exeDflnkjhe.exeJhgnbehe.exeDcijmhdj.exeHafbid32.exeNdqokc32.exeBodhlane.exeGmbagf32.exeDnjeoa32.exeEcfcle32.exePjgiad32.exeAbgeiaaf.exeEjhhcdjm.exeKbljmd32.exeQfdpgd32.exeAeachphg.exeJdplmflg.exeMgglcqdk.exeFmjkbfnh.exePcahga32.exeJobnej32.exeMdibpn32.exeNhhdiknb.exePaldmbmq.exeBackdoor.Win32.Padodor.SK.exeLjpqlqmd.exeQmomelml.exeNdclpb32.exeFnkchahn.exeChkbjc32.exeGnhlgoia.exeGgmjkapi.exeGomjckqc.exeHdilalko.exeIkembicd.exeCkboba32.exeFgcgebhd.exeLpfagd32.exeKfcmcckn.exeMlfgkleh.exeKgfoee32.exeEecgafkj.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofbih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabppo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baeanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebccal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okmceiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgqpjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaajfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Makmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpccnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhffikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfina32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjejojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icidlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibehna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgcof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pieobaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chahin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecklgdag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclmlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflnkjhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgnbehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcijmhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndqokc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhlane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjeoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfcle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgiad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgeiaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhhcdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbljmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfdpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeachphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdplmflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgglcqdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjkbfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcahga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jobnej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdibpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhdiknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paldmbmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Padodor.SK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpqlqmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmomelml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndclpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkchahn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkbjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhlgoia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmjkapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomjckqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdilalko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikembicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckboba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcgebhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcmcckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfgkleh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecgafkj.exe -
Modifies registry class 64 IoCs
Processes:
Gndebkii.exeHdapggln.exeMlcekgbb.exeCfmceomm.exeHdilalko.exeKhhndi32.exePikaqppk.exeLcnqin32.exeDcijmhdj.exeGepeep32.exeEkiaac32.exeLhiodnob.exeKbppfb32.exeCbllph32.exeDflnkjhe.exePnbjca32.exeKemcookp.exeIiiogoac.exeNodikecl.exeDadehh32.exeDimfmeef.exeLpqnpacp.exeOfaaghom.exeFqdong32.exeMdhnnl32.exeJiaaaicm.exeHhkjpi32.exeEphhmn32.exeFdbibjok.exeKiifjd32.exeBpgjob32.exePaldmbmq.exeNhffikob.exeKiojqfdp.exeEndmgb32.exeChkbjc32.exeHbokkagk.exeAomdpj32.exeEcdhonoc.exeJhgnbehe.exeEiheok32.exeKfhmhi32.exePqcncnpe.exeAjpgkb32.exeIabcbg32.exeGohqhl32.exeMcjihk32.exeCmimif32.exeDedkbb32.exeDgjfbllj.exeKelqff32.exeNecqbp32.exeEhbcnajn.exeLcignoki.exeDkihli32.exeIipgeb32.exeOaeacppk.exeGboolneo.exeAieihpgi.exeCmgblphf.exeAflmbj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndkcnjj.dll" Gndebkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnicncli.dll" Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leooph32.dll" Mlcekgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfmceomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjhlh32.dll" Hdilalko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khhndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pikaqppk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcnqin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoncmof.dll" Dcijmhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gepeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camelgdc.dll" Ekiaac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhiodnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmkof32.dll" Kbppfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbllph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmpgcd32.dll" Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmdopge.dll" Pnbjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akekgimh.dll" Kemcookp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiiogoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nodikecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dadehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dimfmeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihphlqal.dll" Lpqnpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Makgdqnb.dll" Ofaaghom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnohbhdp.dll" Fqdong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekqjiiel.dll" Mdhnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jiaaaicm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhkjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ephhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlejbj32.dll" Fdbibjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dopnodpc.dll" Kiifjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdegpplg.dll" Bpgjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paldmbmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiojqfdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Endmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chkbjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbokkagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aomdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecdhonoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnakeah.dll" Jhgnbehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgjhdgmm.dll" Eiheok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfhmhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqdong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjpgo32.dll" Pqcncnpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajpgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnbjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjbf32.dll" Gohqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcjihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmimif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimbabic.dll" Dedkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgjfbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kelqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Necqbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfioeef.dll" Ehbcnajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbgmc32.dll" Lcignoki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkihli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndgbohdn.dll" Iipgeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpnifnh.dll" Dgjfbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehgclbhf.dll" Gboolneo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aieihpgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmgblphf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aflmbj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeCabldeik.exeCfoellgb.exeCmimif32.exeCbfeam32.exeDeikhhhe.exeDlepjbmo.exeDdqeodjj.exeDadehh32.exeEmncci32.exeEghdanac.exeEocieq32.exeFhnjdfcl.exeFgcgebhd.exeFkapkq32.exeFdjddf32.exedescription pid process target process PID 2716 wrote to memory of 2728 2716 Backdoor.Win32.Padodor.SK.exe Cabldeik.exe PID 2716 wrote to memory of 2728 2716 Backdoor.Win32.Padodor.SK.exe Cabldeik.exe PID 2716 wrote to memory of 2728 2716 Backdoor.Win32.Padodor.SK.exe Cabldeik.exe PID 2716 wrote to memory of 2728 2716 Backdoor.Win32.Padodor.SK.exe Cabldeik.exe PID 2728 wrote to memory of 2868 2728 Cabldeik.exe Cfoellgb.exe PID 2728 wrote to memory of 2868 2728 Cabldeik.exe Cfoellgb.exe PID 2728 wrote to memory of 2868 2728 Cabldeik.exe Cfoellgb.exe PID 2728 wrote to memory of 2868 2728 Cabldeik.exe Cfoellgb.exe PID 2868 wrote to memory of 2164 2868 Cfoellgb.exe Cmimif32.exe PID 2868 wrote to memory of 2164 2868 Cfoellgb.exe Cmimif32.exe PID 2868 wrote to memory of 2164 2868 Cfoellgb.exe Cmimif32.exe PID 2868 wrote to memory of 2164 2868 Cfoellgb.exe Cmimif32.exe PID 2164 wrote to memory of 2900 2164 Cmimif32.exe Cbfeam32.exe PID 2164 wrote to memory of 2900 2164 Cmimif32.exe Cbfeam32.exe PID 2164 wrote to memory of 2900 2164 Cmimif32.exe Cbfeam32.exe PID 2164 wrote to memory of 2900 2164 Cmimif32.exe Cbfeam32.exe PID 2900 wrote to memory of 2640 2900 Cbfeam32.exe Deikhhhe.exe PID 2900 wrote to memory of 2640 2900 Cbfeam32.exe Deikhhhe.exe PID 2900 wrote to memory of 2640 2900 Cbfeam32.exe Deikhhhe.exe PID 2900 wrote to memory of 2640 2900 Cbfeam32.exe Deikhhhe.exe PID 2640 wrote to memory of 3048 2640 Deikhhhe.exe Dlepjbmo.exe PID 2640 wrote to memory of 3048 2640 Deikhhhe.exe Dlepjbmo.exe PID 2640 wrote to memory of 3048 2640 Deikhhhe.exe Dlepjbmo.exe PID 2640 wrote to memory of 3048 2640 Deikhhhe.exe Dlepjbmo.exe PID 3048 wrote to memory of 1756 3048 Dlepjbmo.exe Ddqeodjj.exe PID 3048 wrote to memory of 1756 3048 Dlepjbmo.exe Ddqeodjj.exe PID 3048 wrote to memory of 1756 3048 Dlepjbmo.exe Ddqeodjj.exe PID 3048 wrote to memory of 1756 3048 Dlepjbmo.exe Ddqeodjj.exe PID 1756 wrote to memory of 1984 1756 Ddqeodjj.exe Dadehh32.exe PID 1756 wrote to memory of 1984 1756 Ddqeodjj.exe Dadehh32.exe PID 1756 wrote to memory of 1984 1756 Ddqeodjj.exe Dadehh32.exe PID 1756 wrote to memory of 1984 1756 Ddqeodjj.exe Dadehh32.exe PID 1984 wrote to memory of 1076 1984 Dadehh32.exe Emncci32.exe PID 1984 wrote to memory of 1076 1984 Dadehh32.exe Emncci32.exe PID 1984 wrote to memory of 1076 1984 Dadehh32.exe Emncci32.exe PID 1984 wrote to memory of 1076 1984 Dadehh32.exe Emncci32.exe PID 1076 wrote to memory of 2120 1076 Emncci32.exe Eghdanac.exe PID 1076 wrote to memory of 2120 1076 Emncci32.exe Eghdanac.exe PID 1076 wrote to memory of 2120 1076 Emncci32.exe Eghdanac.exe PID 1076 wrote to memory of 2120 1076 Emncci32.exe Eghdanac.exe PID 2120 wrote to memory of 2520 2120 Eghdanac.exe Eocieq32.exe PID 2120 wrote to memory of 2520 2120 Eghdanac.exe Eocieq32.exe PID 2120 wrote to memory of 2520 2120 Eghdanac.exe Eocieq32.exe PID 2120 wrote to memory of 2520 2120 Eghdanac.exe Eocieq32.exe PID 2520 wrote to memory of 1992 2520 Eocieq32.exe Fhnjdfcl.exe PID 2520 wrote to memory of 1992 2520 Eocieq32.exe Fhnjdfcl.exe PID 2520 wrote to memory of 1992 2520 Eocieq32.exe Fhnjdfcl.exe PID 2520 wrote to memory of 1992 2520 Eocieq32.exe Fhnjdfcl.exe PID 1992 wrote to memory of 2256 1992 Fhnjdfcl.exe Fgcgebhd.exe PID 1992 wrote to memory of 2256 1992 Fhnjdfcl.exe Fgcgebhd.exe PID 1992 wrote to memory of 2256 1992 Fhnjdfcl.exe Fgcgebhd.exe PID 1992 wrote to memory of 2256 1992 Fhnjdfcl.exe Fgcgebhd.exe PID 2256 wrote to memory of 2440 2256 Fgcgebhd.exe Fkapkq32.exe PID 2256 wrote to memory of 2440 2256 Fgcgebhd.exe Fkapkq32.exe PID 2256 wrote to memory of 2440 2256 Fgcgebhd.exe Fkapkq32.exe PID 2256 wrote to memory of 2440 2256 Fgcgebhd.exe Fkapkq32.exe PID 2440 wrote to memory of 2432 2440 Fkapkq32.exe Fdjddf32.exe PID 2440 wrote to memory of 2432 2440 Fkapkq32.exe Fdjddf32.exe PID 2440 wrote to memory of 2432 2440 Fkapkq32.exe Fdjddf32.exe PID 2440 wrote to memory of 2432 2440 Fkapkq32.exe Fdjddf32.exe PID 2432 wrote to memory of 2148 2432 Fdjddf32.exe Gndebkii.exe PID 2432 wrote to memory of 2148 2432 Fdjddf32.exe Gndebkii.exe PID 2432 wrote to memory of 2148 2432 Fdjddf32.exe Gndebkii.exe PID 2432 wrote to memory of 2148 2432 Fdjddf32.exe Gndebkii.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Cmimif32.exeC:\Windows\system32\Cmimif32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Cbfeam32.exeC:\Windows\system32\Cbfeam32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Dadehh32.exeC:\Windows\system32\Dadehh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Emncci32.exeC:\Windows\system32\Emncci32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Eocieq32.exeC:\Windows\system32\Eocieq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Fhnjdfcl.exeC:\Windows\system32\Fhnjdfcl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Gndebkii.exeC:\Windows\system32\Gndebkii.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Gjnbmlmj.exeC:\Windows\system32\Gjnbmlmj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Gfgpgmql.exeC:\Windows\system32\Gfgpgmql.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Haejcj32.exeC:\Windows\system32\Haejcj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Hiblmldn.exeC:\Windows\system32\Hiblmldn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Jdhlih32.exeC:\Windows\system32\Jdhlih32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe33⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe34⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe35⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe37⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe38⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe40⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe41⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe42⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe43⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe44⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe45⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe47⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe48⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe50⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe51⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe52⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe53⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Ncpgeh32.exeC:\Windows\system32\Ncpgeh32.exe54⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe55⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe57⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe59⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe61⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe62⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe63⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe64⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Ofpmegpe.exeC:\Windows\system32\Ofpmegpe.exe65⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe66⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe67⤵PID:1616
-
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe68⤵PID:944
-
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe69⤵PID:2304
-
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe70⤵PID:1728
-
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe71⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe72⤵PID:2208
-
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe73⤵PID:2780
-
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe74⤵PID:2172
-
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe75⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe76⤵PID:2360
-
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe77⤵PID:1156
-
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe78⤵PID:2932
-
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe79⤵PID:2400
-
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe80⤵PID:1644
-
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe81⤵PID:2076
-
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe82⤵PID:2308
-
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe83⤵
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Alhaho32.exeC:\Windows\system32\Alhaho32.exe84⤵PID:2080
-
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe85⤵PID:760
-
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe86⤵PID:548
-
C:\Windows\SysWOW64\Afcbgd32.exeC:\Windows\system32\Afcbgd32.exe87⤵PID:2068
-
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe88⤵PID:2924
-
C:\Windows\SysWOW64\Adhohapp.exeC:\Windows\system32\Adhohapp.exe89⤵PID:1564
-
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe90⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Bgihjl32.exeC:\Windows\system32\Bgihjl32.exe91⤵PID:2968
-
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe92⤵PID:1064
-
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe93⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe94⤵PID:2544
-
C:\Windows\SysWOW64\Bfqaph32.exeC:\Windows\system32\Bfqaph32.exe95⤵PID:1636
-
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe96⤵PID:2436
-
C:\Windows\SysWOW64\Bfcnfh32.exeC:\Windows\system32\Bfcnfh32.exe97⤵PID:2328
-
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe98⤵PID:2512
-
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe99⤵PID:1000
-
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe100⤵PID:2600
-
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe101⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe102⤵PID:3012
-
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe103⤵PID:2860
-
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe104⤵PID:2648
-
C:\Windows\SysWOW64\Dedkbb32.exeC:\Windows\system32\Dedkbb32.exe105⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Dnlolhoo.exeC:\Windows\system32\Dnlolhoo.exe106⤵PID:2944
-
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe107⤵PID:2528
-
C:\Windows\SysWOW64\Djemfibq.exeC:\Windows\system32\Djemfibq.exe108⤵PID:568
-
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Dmffhd32.exeC:\Windows\system32\Dmffhd32.exe111⤵PID:2024
-
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe112⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Eojoelcm.exeC:\Windows\system32\Eojoelcm.exe113⤵PID:1096
-
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe114⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe115⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ebghkjjc.exeC:\Windows\system32\Ebghkjjc.exe116⤵PID:2788
-
C:\Windows\SysWOW64\Edidcb32.exeC:\Windows\system32\Edidcb32.exe117⤵PID:2656
-
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Edkahbmo.exeC:\Windows\system32\Edkahbmo.exe119⤵PID:1940
-
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe120⤵PID:2228
-
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe121⤵PID:2312
-
C:\Windows\SysWOW64\Eijffhjd.exeC:\Windows\system32\Eijffhjd.exe122⤵PID:2372
-
C:\Windows\SysWOW64\Fcbjon32.exeC:\Windows\system32\Fcbjon32.exe123⤵PID:1804
-
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe124⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe125⤵PID:288
-
C:\Windows\SysWOW64\Fmjkbfnh.exeC:\Windows\system32\Fmjkbfnh.exe126⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe127⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Fefpfi32.exeC:\Windows\system32\Fefpfi32.exe128⤵PID:2616
-
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe129⤵PID:1744
-
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe130⤵PID:3000
-
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe131⤵PID:2296
-
C:\Windows\SysWOW64\Foqadnpq.exeC:\Windows\system32\Foqadnpq.exe132⤵PID:1688
-
C:\Windows\SysWOW64\Fdmjmenh.exeC:\Windows\system32\Fdmjmenh.exe133⤵PID:828
-
C:\Windows\SysWOW64\Gaajfi32.exeC:\Windows\system32\Gaajfi32.exe134⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Ghkbccdn.exeC:\Windows\system32\Ghkbccdn.exe135⤵PID:2880
-
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe136⤵PID:2156
-
C:\Windows\SysWOW64\Ggppdpif.exeC:\Windows\system32\Ggppdpif.exe137⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Gddpndhp.exeC:\Windows\system32\Gddpndhp.exe138⤵PID:2300
-
C:\Windows\SysWOW64\Gjahfkfg.exeC:\Windows\system32\Gjahfkfg.exe139⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Gqkqbe32.exeC:\Windows\system32\Gqkqbe32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe141⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Gmbagf32.exeC:\Windows\system32\Gmbagf32.exe142⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Gcljdpke.exeC:\Windows\system32\Gcljdpke.exe143⤵PID:2796
-
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe144⤵PID:2736
-
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe145⤵PID:2444
-
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:824 -
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe147⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe148⤵PID:2884
-
C:\Windows\SysWOW64\Hfalaj32.exeC:\Windows\system32\Hfalaj32.exe149⤵PID:2644
-
C:\Windows\SysWOW64\Hnlqemal.exeC:\Windows\system32\Hnlqemal.exe150⤵PID:1268
-
C:\Windows\SysWOW64\Hefibg32.exeC:\Windows\system32\Hefibg32.exe151⤵PID:832
-
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe152⤵PID:3028
-
C:\Windows\SysWOW64\Ikbndqnc.exeC:\Windows\system32\Ikbndqnc.exe153⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Imdjlida.exeC:\Windows\system32\Imdjlida.exe154⤵PID:2204
-
C:\Windows\SysWOW64\Igioiacg.exeC:\Windows\system32\Igioiacg.exe155⤵PID:3060
-
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe156⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Ifoljn32.exeC:\Windows\system32\Ifoljn32.exe157⤵PID:1640
-
C:\Windows\SysWOW64\Iadphghe.exeC:\Windows\system32\Iadphghe.exe158⤵PID:1660
-
C:\Windows\SysWOW64\Ijmdql32.exeC:\Windows\system32\Ijmdql32.exe159⤵PID:2872
-
C:\Windows\SysWOW64\Iceiibef.exeC:\Windows\system32\Iceiibef.exe160⤵PID:2680
-
C:\Windows\SysWOW64\Jiaaaicm.exeC:\Windows\system32\Jiaaaicm.exe161⤵
- Modifies registry class
PID:284 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe162⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe163⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Jekoljgo.exeC:\Windows\system32\Jekoljgo.exe164⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Jocceo32.exeC:\Windows\system32\Jocceo32.exe165⤵PID:1172
-
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe166⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe167⤵PID:3024
-
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe168⤵PID:3044
-
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe169⤵PID:2320
-
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe170⤵PID:2316
-
C:\Windows\SysWOW64\Kaieai32.exeC:\Windows\system32\Kaieai32.exe171⤵PID:1204
-
C:\Windows\SysWOW64\Kdgane32.exeC:\Windows\system32\Kdgane32.exe172⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe173⤵PID:908
-
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe174⤵PID:2492
-
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe175⤵PID:2940
-
C:\Windows\SysWOW64\Kbokda32.exeC:\Windows\system32\Kbokda32.exe176⤵PID:2604
-
C:\Windows\SysWOW64\Klgpmgod.exeC:\Windows\system32\Klgpmgod.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Kcahjqfa.exeC:\Windows\system32\Kcahjqfa.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Kikpgk32.exeC:\Windows\system32\Kikpgk32.exe179⤵PID:2088
-
C:\Windows\SysWOW64\Klimcf32.exeC:\Windows\system32\Klimcf32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Lccepqdo.exeC:\Windows\system32\Lccepqdo.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe182⤵PID:3052
-
C:\Windows\SysWOW64\Lojeda32.exeC:\Windows\system32\Lojeda32.exe183⤵PID:2692
-
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe184⤵PID:3040
-
C:\Windows\SysWOW64\Lolbjahp.exeC:\Windows\system32\Lolbjahp.exe185⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe186⤵PID:3080
-
C:\Windows\SysWOW64\Lppkgi32.exeC:\Windows\system32\Lppkgi32.exe187⤵PID:3120
-
C:\Windows\SysWOW64\Mnakjaoc.exeC:\Windows\system32\Mnakjaoc.exe188⤵
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Mdkcgk32.exeC:\Windows\system32\Mdkcgk32.exe189⤵
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe190⤵PID:3240
-
C:\Windows\SysWOW64\Nbodpo32.exeC:\Windows\system32\Nbodpo32.exe191⤵PID:3280
-
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe192⤵PID:3320
-
C:\Windows\SysWOW64\Ngoinfao.exeC:\Windows\system32\Ngoinfao.exe193⤵PID:3360
-
C:\Windows\SysWOW64\Nnhakp32.exeC:\Windows\system32\Nnhakp32.exe194⤵PID:3404
-
C:\Windows\SysWOW64\Ncejcg32.exeC:\Windows\system32\Ncejcg32.exe195⤵PID:3444
-
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe196⤵PID:3484
-
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe197⤵PID:3524
-
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe198⤵PID:3564
-
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe199⤵PID:3604
-
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe200⤵PID:3644
-
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe201⤵PID:3684
-
C:\Windows\SysWOW64\Oljanhmc.exeC:\Windows\system32\Oljanhmc.exe202⤵PID:3732
-
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3772 -
C:\Windows\SysWOW64\Oedclm32.exeC:\Windows\system32\Oedclm32.exe204⤵PID:3812
-
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe205⤵PID:3852
-
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe206⤵PID:3892
-
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe207⤵PID:3932
-
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe208⤵PID:3972
-
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4016 -
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe210⤵
- Modifies registry class
PID:4056 -
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe211⤵PID:2232
-
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3112 -
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe213⤵PID:3168
-
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe214⤵PID:3212
-
C:\Windows\SysWOW64\Qamleagn.exeC:\Windows\system32\Qamleagn.exe215⤵PID:3264
-
C:\Windows\SysWOW64\Akfaof32.exeC:\Windows\system32\Akfaof32.exe216⤵PID:3312
-
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe217⤵PID:3356
-
C:\Windows\SysWOW64\Ahjahk32.exeC:\Windows\system32\Ahjahk32.exe218⤵PID:3420
-
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe219⤵PID:3472
-
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe220⤵PID:3512
-
C:\Windows\SysWOW64\Ajpgkb32.exeC:\Windows\system32\Ajpgkb32.exe221⤵
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe222⤵PID:3620
-
C:\Windows\SysWOW64\Boolhikf.exeC:\Windows\system32\Boolhikf.exe223⤵PID:3656
-
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe224⤵PID:3704
-
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe225⤵PID:3768
-
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3820 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe227⤵PID:3868
-
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe228⤵
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe229⤵PID:3968
-
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe230⤵PID:4024
-
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe231⤵PID:4076
-
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe232⤵PID:3104
-
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe233⤵PID:3144
-
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3196 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe235⤵
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe236⤵
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Dippfplg.exeC:\Windows\system32\Dippfplg.exe237⤵
- Drops file in System32 directory
PID:3400 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe238⤵PID:3476
-
C:\Windows\SysWOW64\Dicmlpje.exeC:\Windows\system32\Dicmlpje.exe239⤵PID:3536
-
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe240⤵PID:3612
-
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe241⤵
- Modifies registry class
PID:3660 -
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe242⤵
- Drops file in System32 directory
PID:3676