Analysis
-
max time kernel
105s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 10:45
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
96KB
-
MD5
967480ddc7351bf48eac385f300a0e50
-
SHA1
69aa17a8eddc59d8cf7911c8bf9fa82f42dfc02a
-
SHA256
cab08c7ebe98710daa4326a1e937ba85776678e40dc89bb4e1e0d9c72166dc5d
-
SHA512
df59be02c650f947d9021b3c4ac616ac726324597238fac4e7c217db8d023373217968339b860fdf348895e4ff48e32b53bc24a88d0738a400101712919cafb2
-
SSDEEP
1536:b09/AR1M/3ueHscBPDOf3gvs99wP3UNjyRQ+MVR5R45WtqV9R2R462izMg3R7ih9:qoRG3ueMcBPif3gESkjye+6HrtG9MW3H
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cpcaeghc.exeLpkmkl32.exeQohkdkdn.exeMheqie32.exeNmdfglhm.exeHbjmodph.exeFilnjk32.exeGelonn32.exeMekfmp32.exeBdlccoje.exeAgfhmo32.exeChldbl32.exeDmimkc32.exeIiiapg32.exeNecandjo.exeGmnkqcem.exeOdhjmc32.exeClphjc32.exeMcagma32.exeFgkbac32.exeKpmkjlbi.exeClbdobpc.exeHbgjoo32.exeMgkghp32.exeOnmmad32.exeOeibcnmf.exeGlmecbbj.exeChmpicbd.exeEempcfbi.exeMhippbem.exePlgmabke.exeAcoegp32.exePnicgi32.exeGkcgaoka.exeKonpjafp.exeCbpncn32.exePaoedc32.exeBeignlig.exeGncblo32.exeIcdllk32.exeFknido32.exeFjqlid32.exeMbadih32.exeImifpagp.exeEqjceidf.exeEcdkgg32.exeFmcchb32.exeFiomhc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpcaeghc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpkmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qohkdkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mheqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmdfglhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbjmodph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Filnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelonn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekfmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdlccoje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agfhmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chldbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmimkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiiapg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necandjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmnkqcem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhjmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clphjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcagma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgkbac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmkjlbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbgjoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onmmad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeibcnmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmecbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmpicbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eempcfbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhippbem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgmabke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acoegp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnicgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkcgaoka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Konpjafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbpncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paoedc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beignlig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icdllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fknido32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjqlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbadih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imifpagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqjceidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecdkgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fiomhc32.exe -
Executes dropped EXE 64 IoCs
Processes:
Cdbqflae.exeDklibf32.exeDqiakm32.exeDjaedbnj.exeDjfooa32.exeEmieflec.exeEipekmjg.exeEibbqmhd.exeEmdgjpkd.exeFpdqlkhe.exeFdbibjok.exeFpijgk32.exeFhgkqmph.exeGmhmdc32.exeGmkjjbhg.exeGgekhhle.exeHcllmi32.exeHhkakonn.exeHadece32.exeHkljljko.exeHfanjcke.exeIolohhpc.exeIqnlpq32.exeIqbekpal.exeImifpagp.exeIjmfiefj.exeJibcja32.exeJigmeagl.exeJboanfmm.exeJgnflmia.exeKagkebpb.exeKnkkngol.exeKjdiigbm.exeLikbpceb.exeLafgdfbm.exeLaidie32.exeLheilofe.exeLhgeao32.exeMgmbbkij.exeMpegka32.exeMlndfa32.exeMibeofaf.exeNlcnaaog.exeNndjhi32.exeNkhkbmco.exeNhlkkabh.exeNjmhcj32.exeNcellpog.exeNlnqeeeh.exeNnnmoh32.exeOfibcj32.exeOmbjpd32.exeOhikeegf.exeOfmknifp.exeOofpgolq.exeOfphdi32.exeOnkmhl32.exeOgcaaahi.exePjbnmm32.exePegaje32.exePanboflg.exePghklq32.exePmecdgbk.exePgjgapaa.exepid process 2732 Cdbqflae.exe 2860 Dklibf32.exe 2296 Dqiakm32.exe 2664 Djaedbnj.exe 1752 Djfooa32.exe 2240 Emieflec.exe 512 Eipekmjg.exe 2212 Eibbqmhd.exe 960 Emdgjpkd.exe 2528 Fpdqlkhe.exe 2940 Fdbibjok.exe 1204 Fpijgk32.exe 2412 Fhgkqmph.exe 2168 Gmhmdc32.exe 2496 Gmkjjbhg.exe 2608 Ggekhhle.exe 2000 Hcllmi32.exe 2144 Hhkakonn.exe 776 Hadece32.exe 964 Hkljljko.exe 1964 Hfanjcke.exe 2392 Iolohhpc.exe 1064 Iqnlpq32.exe 2508 Iqbekpal.exe 2900 Imifpagp.exe 564 Ijmfiefj.exe 2876 Jibcja32.exe 2740 Jigmeagl.exe 2680 Jboanfmm.exe 2652 Jgnflmia.exe 3044 Kagkebpb.exe 3048 Knkkngol.exe 2596 Kjdiigbm.exe 1960 Likbpceb.exe 432 Lafgdfbm.exe 2408 Laidie32.exe 2416 Lheilofe.exe 2336 Lhgeao32.exe 2268 Mgmbbkij.exe 1156 Mpegka32.exe 1084 Mlndfa32.exe 2996 Mibeofaf.exe 1936 Nlcnaaog.exe 1484 Nndjhi32.exe 3008 Nkhkbmco.exe 1968 Nhlkkabh.exe 1408 Njmhcj32.exe 2380 Ncellpog.exe 2988 Nlnqeeeh.exe 1716 Nnnmoh32.exe 2792 Ofibcj32.exe 2632 Ombjpd32.exe 2648 Ohikeegf.exe 2616 Ofmknifp.exe 1516 Oofpgolq.exe 1836 Ofphdi32.exe 2328 Onkmhl32.exe 848 Ogcaaahi.exe 2180 Pjbnmm32.exe 1796 Pegaje32.exe 2224 Panboflg.exe 2028 Pghklq32.exe 1700 Pmecdgbk.exe 924 Pgjgapaa.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeCdbqflae.exeDklibf32.exeDqiakm32.exeDjaedbnj.exeDjfooa32.exeEmieflec.exeEipekmjg.exeEibbqmhd.exeEmdgjpkd.exeFpdqlkhe.exeFdbibjok.exeFpijgk32.exeFhgkqmph.exeGmhmdc32.exeGmkjjbhg.exeGgekhhle.exeHcllmi32.exeHhkakonn.exeHadece32.exeHkljljko.exeHfanjcke.exeIolohhpc.exeIqnlpq32.exeIqbekpal.exeImifpagp.exeIjmfiefj.exeJibcja32.exeJigmeagl.exeJboanfmm.exeJgnflmia.exeKagkebpb.exepid process 2440 Backdoor.Win32.Padodor.SK.exe 2440 Backdoor.Win32.Padodor.SK.exe 2732 Cdbqflae.exe 2732 Cdbqflae.exe 2860 Dklibf32.exe 2860 Dklibf32.exe 2296 Dqiakm32.exe 2296 Dqiakm32.exe 2664 Djaedbnj.exe 2664 Djaedbnj.exe 1752 Djfooa32.exe 1752 Djfooa32.exe 2240 Emieflec.exe 2240 Emieflec.exe 512 Eipekmjg.exe 512 Eipekmjg.exe 2212 Eibbqmhd.exe 2212 Eibbqmhd.exe 960 Emdgjpkd.exe 960 Emdgjpkd.exe 2528 Fpdqlkhe.exe 2528 Fpdqlkhe.exe 2940 Fdbibjok.exe 2940 Fdbibjok.exe 1204 Fpijgk32.exe 1204 Fpijgk32.exe 2412 Fhgkqmph.exe 2412 Fhgkqmph.exe 2168 Gmhmdc32.exe 2168 Gmhmdc32.exe 2496 Gmkjjbhg.exe 2496 Gmkjjbhg.exe 2608 Ggekhhle.exe 2608 Ggekhhle.exe 2000 Hcllmi32.exe 2000 Hcllmi32.exe 2144 Hhkakonn.exe 2144 Hhkakonn.exe 776 Hadece32.exe 776 Hadece32.exe 964 Hkljljko.exe 964 Hkljljko.exe 1964 Hfanjcke.exe 1964 Hfanjcke.exe 2392 Iolohhpc.exe 2392 Iolohhpc.exe 1064 Iqnlpq32.exe 1064 Iqnlpq32.exe 2508 Iqbekpal.exe 2508 Iqbekpal.exe 2900 Imifpagp.exe 2900 Imifpagp.exe 564 Ijmfiefj.exe 564 Ijmfiefj.exe 2876 Jibcja32.exe 2876 Jibcja32.exe 2740 Jigmeagl.exe 2740 Jigmeagl.exe 2680 Jboanfmm.exe 2680 Jboanfmm.exe 2652 Jgnflmia.exe 2652 Jgnflmia.exe 3044 Kagkebpb.exe 3044 Kagkebpb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Giafmfad.exePonadfim.exeQjaejbmq.exeJhbaam32.exeDigfil32.exeKmlbia32.exeQhejed32.exeAflmbj32.exeIcdllk32.exeNjlnbg32.exeMbadih32.exeOlclimif.exeOnmmad32.exeBdlakf32.exeNghbpfin.exePkdiehca.exeJknnoppp.exeDmpckbci.exeHlgodgnk.exeQepbjh32.exeMljnoo32.exePbohmh32.exeCioohh32.exeKdefdjnl.exeGaokhdja.exeKcbfjaeq.exeGmnkqcem.exeGnhlgoia.exeBenbbcmf.exeFilnjk32.exeJphcgq32.exeIoibde32.exeMibeofaf.exeBgemal32.exeGkbplepn.exeEbfqbp32.exeEjoagm32.exeOofpgolq.exeJbpcgo32.exePkalph32.exeFgkbac32.exeIgqjfb32.exeEcibjn32.exeNbckeb32.exeEdgmjhfh.exedescription ioc process File created C:\Windows\SysWOW64\Oiglpl32.dll Giafmfad.exe File opened for modification C:\Windows\SysWOW64\Dojcci32.exe File created C:\Windows\SysWOW64\Pmnmdakk.dll File opened for modification C:\Windows\SysWOW64\Jifemgnb.exe File created C:\Windows\SysWOW64\Jcmdbf32.dll Ponadfim.exe File created C:\Windows\SysWOW64\Acjjch32.exe Qjaejbmq.exe File created C:\Windows\SysWOW64\Hhhmmfgf.exe File created C:\Windows\SysWOW64\Jolingnk.exe Jhbaam32.exe File created C:\Windows\SysWOW64\Edljfd32.exe Digfil32.exe File created C:\Windows\SysWOW64\Anildf32.dll Kmlbia32.exe File created C:\Windows\SysWOW64\Ihkeng32.dll File created C:\Windows\SysWOW64\Ecpkne32.exe File created C:\Windows\SysWOW64\Ciecfp32.dll Qhejed32.exe File opened for modification C:\Windows\SysWOW64\Apeakonl.exe Aflmbj32.exe File opened for modification C:\Windows\SysWOW64\Immqeq32.exe Icdllk32.exe File opened for modification C:\Windows\SysWOW64\Nqffoa32.exe Njlnbg32.exe File opened for modification C:\Windows\SysWOW64\Mhklfbcj.exe Mbadih32.exe File created C:\Windows\SysWOW64\Fmpklm32.dll File opened for modification C:\Windows\SysWOW64\Oigmbagp.exe Olclimif.exe File created C:\Windows\SysWOW64\Odgennoi.exe Onmmad32.exe File created C:\Windows\SysWOW64\Fbhdgfdk.dll File created C:\Windows\SysWOW64\Jpfigmch.dll Bdlakf32.exe File created C:\Windows\SysWOW64\Mqfgok32.dll Nghbpfin.exe File created C:\Windows\SysWOW64\Bddfhjma.exe File created C:\Windows\SysWOW64\Pdlmnm32.exe Pkdiehca.exe File created C:\Windows\SysWOW64\Bbobdolj.dll Jknnoppp.exe File created C:\Windows\SysWOW64\Gqjncg32.dll Dmpckbci.exe File opened for modification C:\Windows\SysWOW64\Hepdml32.exe Hlgodgnk.exe File opened for modification C:\Windows\SysWOW64\Qkmjbo32.exe Qepbjh32.exe File opened for modification C:\Windows\SysWOW64\Mjnohc32.exe Mljnoo32.exe File created C:\Windows\SysWOW64\Mfkkek32.dll Pbohmh32.exe File opened for modification C:\Windows\SysWOW64\Cpigeblb.exe Cioohh32.exe File created C:\Windows\SysWOW64\Kmpkhl32.exe Kdefdjnl.exe File created C:\Windows\SysWOW64\Gaahmd32.exe Gaokhdja.exe File created C:\Windows\SysWOW64\Ifhcad32.dll Kcbfjaeq.exe File created C:\Windows\SysWOW64\Feqlnaic.dll File opened for modification C:\Windows\SysWOW64\Hffpiikm.exe Gmnkqcem.exe File created C:\Windows\SysWOW64\Ghhcfk32.exe File opened for modification C:\Windows\SysWOW64\Gpihog32.exe Gnhlgoia.exe File created C:\Windows\SysWOW64\Blhkon32.exe Benbbcmf.exe File opened for modification C:\Windows\SysWOW64\Acjjch32.exe Qjaejbmq.exe File created C:\Windows\SysWOW64\Dhmihn32.dll File created C:\Windows\SysWOW64\Jcognhco.dll Filnjk32.exe File created C:\Windows\SysWOW64\Jiphpf32.exe Jphcgq32.exe File created C:\Windows\SysWOW64\Igqjfb32.exe Ioibde32.exe File opened for modification C:\Windows\SysWOW64\Fjefnckj.exe File created C:\Windows\SysWOW64\Jpenhj32.dll Mibeofaf.exe File created C:\Windows\SysWOW64\Kocobh32.dll Bgemal32.exe File opened for modification C:\Windows\SysWOW64\Ajjejdhc.exe File opened for modification C:\Windows\SysWOW64\Jofkcb32.exe File opened for modification C:\Windows\SysWOW64\Hhfqejoh.exe Gkbplepn.exe File created C:\Windows\SysWOW64\Edgmjhfh.exe Ebfqbp32.exe File created C:\Windows\SysWOW64\Qedibbah.dll Ejoagm32.exe File created C:\Windows\SysWOW64\Ofphdi32.exe Oofpgolq.exe File opened for modification C:\Windows\SysWOW64\Jnfdlpje.exe Jbpcgo32.exe File created C:\Windows\SysWOW64\Mlokem32.dll Pkalph32.exe File created C:\Windows\SysWOW64\Dcimlnba.dll Fgkbac32.exe File opened for modification C:\Windows\SysWOW64\Immcnikq.exe Igqjfb32.exe File created C:\Windows\SysWOW64\Pocbne32.dll File created C:\Windows\SysWOW64\Dcjoka32.dll File created C:\Windows\SysWOW64\Hpadllnj.exe File created C:\Windows\SysWOW64\Halhkamm.dll Ecibjn32.exe File created C:\Windows\SysWOW64\Nlkonhkb.exe Nbckeb32.exe File opened for modification C:\Windows\SysWOW64\Eomaha32.exe Edgmjhfh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gkcgaoka.exeHdneohbk.exePonadfim.exePaojeafn.exeNlfohb32.exePdmpgfae.exeFacmhk32.exeMpegka32.exeEmcqpjhh.exeHjlekm32.exePnicgi32.exeBeignlig.exeKpohplpf.exeOjfhblci.exeKodhbe32.exeNjialh32.exeOnmmad32.exeHadece32.exeNlnqeeeh.exeAoqjhiie.exeAmnemb32.exeOnkoadhm.exeNmglpjak.exeFjqlid32.exeNghbpfin.exeBkflpi32.exeCamlpldf.exeNcnplogn.exeNllafq32.exeDheljhof.exeHmpemkkf.exeIfgpkm32.exeOmfoko32.exeDdeammok.exeBdhjfc32.exeGeqnho32.exeCkgapo32.exeKjmeaa32.exeCpadpg32.exeJmaedolh.exeKmpkhl32.exeEinljkji.exeMoqkgmol.exeElogdoon.exeGlmckikf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcgaoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdneohbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponadfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paojeafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfohb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpgfae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpegka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emcqpjhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlekm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnicgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beignlig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpohplpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfhblci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njialh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmmad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadece32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnqeeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoqjhiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkoadhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmglpjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjqlid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghbpfin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkflpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camlpldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnplogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nllafq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheljhof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpemkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfoko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddeammok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhjfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpadpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmaedolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmpkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einljkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moqkgmol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elogdoon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmckikf.exe -
Modifies registry class 64 IoCs
Processes:
Bndckc32.exePmecdgbk.exeEnpoje32.exeLkomhp32.exeBpkedbka.exeCnjhbjql.exeLmfnbohm.exeNmaialjp.exeBabdhlmh.exeEnblpe32.exeGoemjbna.exeAhomlb32.exeGdgadeee.exeQokjcc32.exeJjnqhh32.exeJgeppe32.exeHmbdlc32.exeKmpkhl32.exeDilggefh.exeBcnomjbg.exeHcbogk32.exeHlliof32.exeDgjdjghf.exeDhagaj32.exeEacnpoqi.exeLgcjmkcd.exeHeqhon32.exeAlbijp32.exeOeqmek32.exeIcdllk32.exeLdfgdn32.exeCoidpiac.exeKmeknakn.exeCigijhne.exeEdjjph32.exeKoidficq.exeHdikch32.exeGlmecbbj.exeLijinaed.exeNoecjh32.exeDhiacg32.exePkopjh32.exeAcjjch32.exeCbebjpaa.exeBnlihgln.exeJnfdlpje.exeCecnflpd.exeEmieflec.exeKglgnhgq.exeKnnagehi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdgoh32.dll" Bndckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pocbne32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmecdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmadag32.dll" Enpoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkomhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknfqe32.dll" Bpkedbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckeqca32.dll" Cnjhbjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmfnbohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiolpb32.dll" Nmaialjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Babdhlmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enblpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goemjbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahomlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdgadeee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qokjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddogmf32.dll" Jjnqhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgeppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccpob32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjadipam.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmbdlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmpkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgbfapp.dll" Dilggefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcbogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Finqaibj.dll" Hlliof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiangbo.dll" Dgjdjghf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eacnpoqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgcjmkcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heqhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhiqmobf.dll" Albijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofnic32.dll" Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oeqmek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfhgh32.dll" Icdllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghhpi32.dll" Ldfgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobgmokc.dll" Coidpiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofjcfle.dll" Kmeknakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cigijhne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edjjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkdbm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Koidficq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maqiin32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdikch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glmecbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lijinaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noecjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngifff32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbkgfki.dll" Dhiacg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkopjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acjjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbebjpaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjocd32.dll" Bnlihgln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnfdlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cecnflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lindbn32.dll" Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kglgnhgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnjhbjql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knnagehi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeCdbqflae.exeDklibf32.exeDqiakm32.exeDjaedbnj.exeDjfooa32.exeEmieflec.exeEipekmjg.exeEibbqmhd.exeEmdgjpkd.exeFpdqlkhe.exeFdbibjok.exeFpijgk32.exeFhgkqmph.exeGmhmdc32.exeGmkjjbhg.exedescription pid process target process PID 2440 wrote to memory of 2732 2440 Backdoor.Win32.Padodor.SK.exe Cdbqflae.exe PID 2440 wrote to memory of 2732 2440 Backdoor.Win32.Padodor.SK.exe Cdbqflae.exe PID 2440 wrote to memory of 2732 2440 Backdoor.Win32.Padodor.SK.exe Cdbqflae.exe PID 2440 wrote to memory of 2732 2440 Backdoor.Win32.Padodor.SK.exe Cdbqflae.exe PID 2732 wrote to memory of 2860 2732 Cdbqflae.exe Dklibf32.exe PID 2732 wrote to memory of 2860 2732 Cdbqflae.exe Dklibf32.exe PID 2732 wrote to memory of 2860 2732 Cdbqflae.exe Dklibf32.exe PID 2732 wrote to memory of 2860 2732 Cdbqflae.exe Dklibf32.exe PID 2860 wrote to memory of 2296 2860 Dklibf32.exe Dqiakm32.exe PID 2860 wrote to memory of 2296 2860 Dklibf32.exe Dqiakm32.exe PID 2860 wrote to memory of 2296 2860 Dklibf32.exe Dqiakm32.exe PID 2860 wrote to memory of 2296 2860 Dklibf32.exe Dqiakm32.exe PID 2296 wrote to memory of 2664 2296 Dqiakm32.exe Djaedbnj.exe PID 2296 wrote to memory of 2664 2296 Dqiakm32.exe Djaedbnj.exe PID 2296 wrote to memory of 2664 2296 Dqiakm32.exe Djaedbnj.exe PID 2296 wrote to memory of 2664 2296 Dqiakm32.exe Djaedbnj.exe PID 2664 wrote to memory of 1752 2664 Djaedbnj.exe Djfooa32.exe PID 2664 wrote to memory of 1752 2664 Djaedbnj.exe Djfooa32.exe PID 2664 wrote to memory of 1752 2664 Djaedbnj.exe Djfooa32.exe PID 2664 wrote to memory of 1752 2664 Djaedbnj.exe Djfooa32.exe PID 1752 wrote to memory of 2240 1752 Djfooa32.exe Emieflec.exe PID 1752 wrote to memory of 2240 1752 Djfooa32.exe Emieflec.exe PID 1752 wrote to memory of 2240 1752 Djfooa32.exe Emieflec.exe PID 1752 wrote to memory of 2240 1752 Djfooa32.exe Emieflec.exe PID 2240 wrote to memory of 512 2240 Emieflec.exe Eipekmjg.exe PID 2240 wrote to memory of 512 2240 Emieflec.exe Eipekmjg.exe PID 2240 wrote to memory of 512 2240 Emieflec.exe Eipekmjg.exe PID 2240 wrote to memory of 512 2240 Emieflec.exe Eipekmjg.exe PID 512 wrote to memory of 2212 512 Eipekmjg.exe Eibbqmhd.exe PID 512 wrote to memory of 2212 512 Eipekmjg.exe Eibbqmhd.exe PID 512 wrote to memory of 2212 512 Eipekmjg.exe Eibbqmhd.exe PID 512 wrote to memory of 2212 512 Eipekmjg.exe Eibbqmhd.exe PID 2212 wrote to memory of 960 2212 Eibbqmhd.exe Emdgjpkd.exe PID 2212 wrote to memory of 960 2212 Eibbqmhd.exe Emdgjpkd.exe PID 2212 wrote to memory of 960 2212 Eibbqmhd.exe Emdgjpkd.exe PID 2212 wrote to memory of 960 2212 Eibbqmhd.exe Emdgjpkd.exe PID 960 wrote to memory of 2528 960 Emdgjpkd.exe Fpdqlkhe.exe PID 960 wrote to memory of 2528 960 Emdgjpkd.exe Fpdqlkhe.exe PID 960 wrote to memory of 2528 960 Emdgjpkd.exe Fpdqlkhe.exe PID 960 wrote to memory of 2528 960 Emdgjpkd.exe Fpdqlkhe.exe PID 2528 wrote to memory of 2940 2528 Fpdqlkhe.exe Fdbibjok.exe PID 2528 wrote to memory of 2940 2528 Fpdqlkhe.exe Fdbibjok.exe PID 2528 wrote to memory of 2940 2528 Fpdqlkhe.exe Fdbibjok.exe PID 2528 wrote to memory of 2940 2528 Fpdqlkhe.exe Fdbibjok.exe PID 2940 wrote to memory of 1204 2940 Fdbibjok.exe Fpijgk32.exe PID 2940 wrote to memory of 1204 2940 Fdbibjok.exe Fpijgk32.exe PID 2940 wrote to memory of 1204 2940 Fdbibjok.exe Fpijgk32.exe PID 2940 wrote to memory of 1204 2940 Fdbibjok.exe Fpijgk32.exe PID 1204 wrote to memory of 2412 1204 Fpijgk32.exe Fhgkqmph.exe PID 1204 wrote to memory of 2412 1204 Fpijgk32.exe Fhgkqmph.exe PID 1204 wrote to memory of 2412 1204 Fpijgk32.exe Fhgkqmph.exe PID 1204 wrote to memory of 2412 1204 Fpijgk32.exe Fhgkqmph.exe PID 2412 wrote to memory of 2168 2412 Fhgkqmph.exe Gmhmdc32.exe PID 2412 wrote to memory of 2168 2412 Fhgkqmph.exe Gmhmdc32.exe PID 2412 wrote to memory of 2168 2412 Fhgkqmph.exe Gmhmdc32.exe PID 2412 wrote to memory of 2168 2412 Fhgkqmph.exe Gmhmdc32.exe PID 2168 wrote to memory of 2496 2168 Gmhmdc32.exe Gmkjjbhg.exe PID 2168 wrote to memory of 2496 2168 Gmhmdc32.exe Gmkjjbhg.exe PID 2168 wrote to memory of 2496 2168 Gmhmdc32.exe Gmkjjbhg.exe PID 2168 wrote to memory of 2496 2168 Gmhmdc32.exe Gmkjjbhg.exe PID 2496 wrote to memory of 2608 2496 Gmkjjbhg.exe Ggekhhle.exe PID 2496 wrote to memory of 2608 2496 Gmkjjbhg.exe Ggekhhle.exe PID 2496 wrote to memory of 2608 2496 Gmkjjbhg.exe Ggekhhle.exe PID 2496 wrote to memory of 2608 2496 Gmkjjbhg.exe Ggekhhle.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Eipekmjg.exeC:\Windows\system32\Eipekmjg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Eibbqmhd.exeC:\Windows\system32\Eibbqmhd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Fpdqlkhe.exeC:\Windows\system32\Fpdqlkhe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Fhgkqmph.exeC:\Windows\system32\Fhgkqmph.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Gmhmdc32.exeC:\Windows\system32\Gmhmdc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Gmkjjbhg.exeC:\Windows\system32\Gmkjjbhg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Hcllmi32.exeC:\Windows\system32\Hcllmi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Hhkakonn.exeC:\Windows\system32\Hhkakonn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Hadece32.exeC:\Windows\system32\Hadece32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Hkljljko.exeC:\Windows\system32\Hkljljko.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Hfanjcke.exeC:\Windows\system32\Hfanjcke.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Iolohhpc.exeC:\Windows\system32\Iolohhpc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Iqnlpq32.exeC:\Windows\system32\Iqnlpq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Iqbekpal.exeC:\Windows\system32\Iqbekpal.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Imifpagp.exeC:\Windows\system32\Imifpagp.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Ijmfiefj.exeC:\Windows\system32\Ijmfiefj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Jibcja32.exeC:\Windows\system32\Jibcja32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Jgnflmia.exeC:\Windows\system32\Jgnflmia.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Kagkebpb.exeC:\Windows\system32\Kagkebpb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe33⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Kjdiigbm.exeC:\Windows\system32\Kjdiigbm.exe34⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Likbpceb.exeC:\Windows\system32\Likbpceb.exe35⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Lafgdfbm.exeC:\Windows\system32\Lafgdfbm.exe36⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Laidie32.exeC:\Windows\system32\Laidie32.exe37⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Lheilofe.exeC:\Windows\system32\Lheilofe.exe38⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Lhgeao32.exeC:\Windows\system32\Lhgeao32.exe39⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Mgmbbkij.exeC:\Windows\system32\Mgmbbkij.exe40⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mpegka32.exeC:\Windows\system32\Mpegka32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe42⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Mibeofaf.exeC:\Windows\system32\Mibeofaf.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe44⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Nndjhi32.exeC:\Windows\system32\Nndjhi32.exe45⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe46⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Nhlkkabh.exeC:\Windows\system32\Nhlkkabh.exe47⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe48⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe49⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Nlnqeeeh.exeC:\Windows\system32\Nlnqeeeh.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Nnnmoh32.exeC:\Windows\system32\Nnnmoh32.exe51⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe52⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe53⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ohikeegf.exeC:\Windows\system32\Ohikeegf.exe54⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Oofpgolq.exeC:\Windows\system32\Oofpgolq.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe57⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe58⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ogcaaahi.exeC:\Windows\system32\Ogcaaahi.exe59⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe60⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe61⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe62⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Pghklq32.exeC:\Windows\system32\Pghklq32.exe63⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Pmecdgbk.exeC:\Windows\system32\Pmecdgbk.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Pgjgapaa.exeC:\Windows\system32\Pgjgapaa.exe65⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Ppelfbol.exeC:\Windows\system32\Ppelfbol.exe66⤵PID:2024
-
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe67⤵PID:3020
-
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe68⤵PID:1604
-
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe69⤵PID:2796
-
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe70⤵PID:2864
-
C:\Windows\SysWOW64\Qhejed32.exeC:\Windows\system32\Qhejed32.exe71⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Aanonj32.exeC:\Windows\system32\Aanonj32.exe72⤵PID:572
-
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe73⤵PID:2236
-
C:\Windows\SysWOW64\Ahjcqcdm.exeC:\Windows\system32\Ahjcqcdm.exe74⤵PID:1080
-
C:\Windows\SysWOW64\Amglij32.exeC:\Windows\system32\Amglij32.exe75⤵PID:396
-
C:\Windows\SysWOW64\Aofhcmig.exeC:\Windows\system32\Aofhcmig.exe76⤵PID:2728
-
C:\Windows\SysWOW64\Ahomlb32.exeC:\Windows\system32\Ahomlb32.exe77⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Amledj32.exeC:\Windows\system32\Amledj32.exe78⤵PID:2316
-
C:\Windows\SysWOW64\Abhnlqlf.exeC:\Windows\system32\Abhnlqlf.exe79⤵PID:1404
-
C:\Windows\SysWOW64\Bdhjfc32.exeC:\Windows\system32\Bdhjfc32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Beignlig.exeC:\Windows\system32\Beignlig.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Bbmggp32.exeC:\Windows\system32\Bbmggp32.exe82⤵PID:928
-
C:\Windows\SysWOW64\Blelpeoa.exeC:\Windows\system32\Blelpeoa.exe83⤵PID:1532
-
C:\Windows\SysWOW64\Babdhlmh.exeC:\Windows\system32\Babdhlmh.exe84⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe85⤵PID:652
-
C:\Windows\SysWOW64\Bljeke32.exeC:\Windows\system32\Bljeke32.exe86⤵PID:1600
-
C:\Windows\SysWOW64\Bnkbcmaj.exeC:\Windows\system32\Bnkbcmaj.exe87⤵PID:2968
-
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe88⤵PID:2932
-
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe89⤵PID:2808
-
C:\Windows\SysWOW64\Ckdlgq32.exeC:\Windows\system32\Ckdlgq32.exe90⤵PID:2112
-
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Cnedilio.exeC:\Windows\system32\Cnedilio.exe92⤵PID:2984
-
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Dfecim32.exeC:\Windows\system32\Dfecim32.exe94⤵PID:2216
-
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe95⤵PID:1244
-
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe96⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Dopdgb32.exeC:\Windows\system32\Dopdgb32.exe97⤵PID:3016
-
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe98⤵PID:388
-
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe99⤵PID:1576
-
C:\Windows\SysWOW64\Egmeadbk.exeC:\Windows\system32\Egmeadbk.exe100⤵PID:2784
-
C:\Windows\SysWOW64\Engnno32.exeC:\Windows\system32\Engnno32.exe101⤵PID:3036
-
C:\Windows\SysWOW64\Edafjiqe.exeC:\Windows\system32\Edafjiqe.exe102⤵PID:2712
-
C:\Windows\SysWOW64\Ejnnbpol.exeC:\Windows\system32\Ejnnbpol.exe103⤵PID:2888
-
C:\Windows\SysWOW64\Epkgkfmd.exeC:\Windows\system32\Epkgkfmd.exe104⤵PID:2964
-
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe105⤵PID:852
-
C:\Windows\SysWOW64\Eqjceidf.exeC:\Windows\system32\Eqjceidf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Efglmpbn.exeC:\Windows\system32\Efglmpbn.exe107⤵PID:1560
-
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe108⤵PID:636
-
C:\Windows\SysWOW64\Efihcpqk.exeC:\Windows\system32\Efihcpqk.exe109⤵PID:2816
-
C:\Windows\SysWOW64\Emcqpjhh.exeC:\Windows\system32\Emcqpjhh.exe110⤵
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\Endmgb32.exeC:\Windows\system32\Endmgb32.exe111⤵PID:2192
-
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe112⤵PID:1208
-
C:\Windows\SysWOW64\Fpdjaeei.exeC:\Windows\system32\Fpdjaeei.exe113⤵PID:2184
-
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe114⤵PID:2020
-
C:\Windows\SysWOW64\Filnjk32.exeC:\Windows\system32\Filnjk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Fjnkac32.exeC:\Windows\system32\Fjnkac32.exe116⤵PID:1456
-
C:\Windows\SysWOW64\Fecool32.exeC:\Windows\system32\Fecool32.exe117⤵PID:1744
-
C:\Windows\SysWOW64\Fhakkg32.exeC:\Windows\system32\Fhakkg32.exe118⤵PID:2252
-
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe119⤵PID:1108
-
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe120⤵PID:2016
-
C:\Windows\SysWOW64\Ffghlcei.exeC:\Windows\system32\Ffghlcei.exe121⤵PID:3064
-
C:\Windows\SysWOW64\Fmqpinlf.exeC:\Windows\system32\Fmqpinlf.exe122⤵PID:2852
-
C:\Windows\SysWOW64\Fhfdffll.exeC:\Windows\system32\Fhfdffll.exe123⤵PID:2780
-
C:\Windows\SysWOW64\Gmcmomjc.exeC:\Windows\system32\Gmcmomjc.exe124⤵PID:548
-
C:\Windows\SysWOW64\Gpaikiig.exeC:\Windows\system32\Gpaikiig.exe125⤵PID:2676
-
C:\Windows\SysWOW64\Gjgmhaim.exeC:\Windows\system32\Gjgmhaim.exe126⤵PID:1920
-
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe127⤵PID:2948
-
C:\Windows\SysWOW64\Gbbbld32.exeC:\Windows\system32\Gbbbld32.exe128⤵PID:2360
-
C:\Windows\SysWOW64\Geqnho32.exeC:\Windows\system32\Geqnho32.exe129⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Gljfeimi.exeC:\Windows\system32\Gljfeimi.exe130⤵PID:2444
-
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe131⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Gkbplepn.exeC:\Windows\system32\Gkbplepn.exe132⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Hhfqejoh.exeC:\Windows\system32\Hhfqejoh.exe133⤵PID:2120
-
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe134⤵PID:2208
-
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe135⤵PID:2032
-
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe136⤵PID:836
-
C:\Windows\SysWOW64\Hdakej32.exeC:\Windows\system32\Hdakej32.exe137⤵PID:2116
-
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe138⤵PID:1988
-
C:\Windows\SysWOW64\Ilolol32.exeC:\Windows\system32\Ilolol32.exe139⤵PID:1360
-
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe140⤵PID:1764
-
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe141⤵PID:2164
-
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe142⤵PID:2488
-
C:\Windows\SysWOW64\Ilfbpk32.exeC:\Windows\system32\Ilfbpk32.exe143⤵PID:2340
-
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe144⤵PID:2064
-
C:\Windows\SysWOW64\Igpcpi32.exeC:\Windows\system32\Igpcpi32.exe145⤵PID:2072
-
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe146⤵PID:1052
-
C:\Windows\SysWOW64\Jgbpfhpc.exeC:\Windows\system32\Jgbpfhpc.exe147⤵PID:1228
-
C:\Windows\SysWOW64\Jdfqomom.exeC:\Windows\system32\Jdfqomom.exe148⤵PID:2788
-
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe149⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe150⤵PID:2040
-
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe151⤵PID:2904
-
C:\Windows\SysWOW64\Kecpipck.exeC:\Windows\system32\Kecpipck.exe152⤵PID:2960
-
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe153⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe154⤵PID:2132
-
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe155⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe156⤵PID:1188
-
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe157⤵PID:2832
-
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe158⤵PID:2228
-
C:\Windows\SysWOW64\Knckbe32.exeC:\Windows\system32\Knckbe32.exe159⤵PID:2992
-
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe160⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe161⤵PID:1356
-
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe162⤵PID:2700
-
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe163⤵PID:2300
-
C:\Windows\SysWOW64\Lpkmkl32.exeC:\Windows\system32\Lpkmkl32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe165⤵PID:948
-
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe166⤵PID:872
-
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe167⤵PID:2320
-
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe168⤵PID:1544
-
C:\Windows\SysWOW64\Ncnoaj32.exeC:\Windows\system32\Ncnoaj32.exe169⤵PID:2660
-
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe170⤵PID:2736
-
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe171⤵PID:2688
-
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe172⤵PID:2420
-
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe174⤵PID:2640
-
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe175⤵PID:2068
-
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe176⤵PID:2464
-
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe177⤵PID:1596
-
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe178⤵PID:2776
-
C:\Windows\SysWOW64\Ojjqbg32.exeC:\Windows\system32\Ojjqbg32.exe179⤵PID:2152
-
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe180⤵PID:3084
-
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe181⤵PID:3124
-
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe182⤵PID:3164
-
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe183⤵PID:3204
-
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe184⤵PID:3244
-
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe185⤵PID:3284
-
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe186⤵
- Drops file in System32 directory
PID:3324 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe187⤵PID:3364
-
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe188⤵PID:3404
-
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe189⤵PID:3452
-
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe190⤵PID:3496
-
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe191⤵PID:3536
-
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe192⤵PID:3576
-
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe193⤵PID:3616
-
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe194⤵PID:3656
-
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe195⤵PID:3696
-
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe196⤵
- Drops file in System32 directory
PID:3736 -
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe197⤵PID:3776
-
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe198⤵PID:3816
-
C:\Windows\SysWOW64\Abejlj32.exeC:\Windows\system32\Abejlj32.exe199⤵PID:3856
-
C:\Windows\SysWOW64\Alnoepam.exeC:\Windows\system32\Alnoepam.exe200⤵PID:3896
-
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe201⤵PID:3936
-
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe202⤵PID:3980
-
C:\Windows\SysWOW64\Bmdehgcf.exeC:\Windows\system32\Bmdehgcf.exe203⤵PID:4020
-
C:\Windows\SysWOW64\Bbcjfn32.exeC:\Windows\system32\Bbcjfn32.exe204⤵PID:4064
-
C:\Windows\SysWOW64\Bimbbhgh.exeC:\Windows\system32\Bimbbhgh.exe205⤵PID:2344
-
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe206⤵PID:3112
-
C:\Windows\SysWOW64\Cioohh32.exeC:\Windows\system32\Cioohh32.exe207⤵
- Drops file in System32 directory
PID:3148 -
C:\Windows\SysWOW64\Cpigeblb.exeC:\Windows\system32\Cpigeblb.exe208⤵PID:3220
-
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3256 -
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3316 -
C:\Windows\SysWOW64\Cekihh32.exeC:\Windows\system32\Cekihh32.exe211⤵PID:3356
-
C:\Windows\SysWOW64\Ckgapo32.exeC:\Windows\system32\Ckgapo32.exe212⤵
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Windows\SysWOW64\Ckjnfobi.exeC:\Windows\system32\Ckjnfobi.exe213⤵PID:3464
-
C:\Windows\SysWOW64\Cadfbi32.exeC:\Windows\system32\Cadfbi32.exe214⤵PID:3520
-
C:\Windows\SysWOW64\Djokgk32.exeC:\Windows\system32\Djokgk32.exe215⤵PID:3568
-
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe216⤵PID:3600
-
C:\Windows\SysWOW64\Djahmk32.exeC:\Windows\system32\Djahmk32.exe217⤵PID:3672
-
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe218⤵PID:3732
-
C:\Windows\SysWOW64\Dclikp32.exeC:\Windows\system32\Dclikp32.exe219⤵PID:3768
-
C:\Windows\SysWOW64\Dhiacg32.exeC:\Windows\system32\Dhiacg32.exe220⤵
- Modifies registry class
PID:3824 -
C:\Windows\SysWOW64\Djhnmj32.exeC:\Windows\system32\Djhnmj32.exe221⤵PID:3876
-
C:\Windows\SysWOW64\Ecabfpff.exeC:\Windows\system32\Ecabfpff.exe222⤵PID:3920
-
C:\Windows\SysWOW64\Eligoe32.exeC:\Windows\system32\Eligoe32.exe223⤵PID:3956
-
C:\Windows\SysWOW64\Enjcfm32.exeC:\Windows\system32\Enjcfm32.exe224⤵PID:4008
-
C:\Windows\SysWOW64\Ekndpa32.exeC:\Windows\system32\Ekndpa32.exe225⤵PID:4044
-
C:\Windows\SysWOW64\Ehbdif32.exeC:\Windows\system32\Ehbdif32.exe226⤵PID:3092
-
C:\Windows\SysWOW64\Flnpoe32.exeC:\Windows\system32\Flnpoe32.exe227⤵PID:3160
-
C:\Windows\SysWOW64\Fcehpbdm.exeC:\Windows\system32\Fcehpbdm.exe228⤵PID:3212
-
C:\Windows\SysWOW64\Fffabman.exeC:\Windows\system32\Fffabman.exe229⤵PID:3280
-
C:\Windows\SysWOW64\Gnaffpoi.exeC:\Windows\system32\Gnaffpoi.exe230⤵PID:3308
-
C:\Windows\SysWOW64\Gncblo32.exeC:\Windows\system32\Gncblo32.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3376 -
C:\Windows\SysWOW64\Gdpkdf32.exeC:\Windows\system32\Gdpkdf32.exe232⤵PID:3448
-
C:\Windows\SysWOW64\Gmipmlan.exeC:\Windows\system32\Gmipmlan.exe233⤵PID:3532
-
C:\Windows\SysWOW64\Gepgni32.exeC:\Windows\system32\Gepgni32.exe234⤵PID:3596
-
C:\Windows\SysWOW64\Gnhlgoia.exeC:\Windows\system32\Gnhlgoia.exe235⤵
- Drops file in System32 directory
PID:3640 -
C:\Windows\SysWOW64\Gpihog32.exeC:\Windows\system32\Gpihog32.exe236⤵PID:3712
-
C:\Windows\SysWOW64\Gmmihk32.exeC:\Windows\system32\Gmmihk32.exe237⤵PID:3764
-
C:\Windows\SysWOW64\Gdgadeee.exeC:\Windows\system32\Gdgadeee.exe238⤵
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Hmpemkkf.exeC:\Windows\system32\Hmpemkkf.exe239⤵
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Windows\SysWOW64\Hfhjfp32.exeC:\Windows\system32\Hfhjfp32.exe240⤵PID:3952
-
C:\Windows\SysWOW64\Hdlkpd32.exeC:\Windows\system32\Hdlkpd32.exe241⤵PID:4040
-
C:\Windows\SysWOW64\Hlgodgnk.exeC:\Windows\system32\Hlgodgnk.exe242⤵
- Drops file in System32 directory
PID:4088