Analysis
-
max time kernel
112s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:13
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
108KB
-
MD5
bd2402f23eeb22bd29da70603be9f3b0
-
SHA1
9be05b813d48225747b9e1876130242f98ad1646
-
SHA256
93c35348d3d483c713b66b3a98e40d1558645bdbb6393f2815f3e1a4cb6bdb82
-
SHA512
175f44f30a442491d71957e3915d964d61abed6f72a8cf10d615fe1aabffdfa03db7df76a5b5d90701f4bb1ab26e6ab611b014b55f7e45b12e06e7fd6b94a409
-
SSDEEP
3072:dYV+D3fM6m/JRecIQLMdwzkn0wpl6YgSd0YFcFmKcUsvKwF:dYwD3fvm/35cXd0cUs
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nlqmmd32.exeNjhfcp32.exeEgjbdo32.exeEnkpahon.exeKcamjb32.exeEppcmncq.exeHfegij32.exeNnmlcp32.exeFmcjhdbc.exePjcmap32.exeClpabm32.exeNabopjmj.exeOabkom32.exeJjbbpmgo.exeAdnpkjde.exeMndmoaog.exeQfljkp32.exeOplelf32.exeQpbglhjq.exeLcfbdd32.exeAggiigmn.exeLddlkg32.exeBjpaop32.exeFkbgckgd.exeJbcjnnpl.exeBfioia32.exeJkmeoa32.exeMqnifg32.exeKddomchg.exeBgoime32.exeEdlfhc32.exeNcnngfna.exeNmqpam32.exeCbiiog32.exeFmkilb32.exeMmgfqh32.exePghfnc32.exeGfkkpmko.exeDaofpchf.exeEpbpbnan.exeFgdnnl32.exeIhglhp32.exeKjmnjkjd.exeFofpoo32.exeMbbfep32.exeNallalep.exeEelkeeah.exeLboiol32.exePhbgcnig.exeMnbpjb32.exeGgnmbn32.exeBcjqdmla.exePdbdqh32.exePaknelgk.exeDcfpel32.exeDiphbfdi.exePhcpgm32.exeCmmagpef.exeFjlmpfhg.exeMkqqnq32.exeKgclio32.exeBqlfaj32.exeCfhiplmp.exeFdiogq32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhfcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enkpahon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcamjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppcmncq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmcjhdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjcmap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfljkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfbdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lddlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkbgckgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfioia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edlfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncnngfna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmgfqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfkkpmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daofpchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fofpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbbfep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nallalep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelkeeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phbgcnig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcjqdmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdbdqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paknelgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfpel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diphbfdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkqqnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgclio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfhiplmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe -
Executes dropped EXE 64 IoCs
Processes:
Pahogc32.exePhbgcnig.exePqnlhpfb.exePdihiook.exePkcpei32.exePmdmmalf.exePdldnomh.exeQmgibqjc.exeQoeeolig.exeQfonkfqd.exeQinjgbpg.exeQogbdl32.exeAfajafoa.exeAjmfad32.exeAcekjjmk.exeAbhkfg32.exeAibcba32.exeAmnocpdk.exeAnolkh32.exeAidphq32.exeAoohekal.exeAnahqh32.exeAigmnqgm.exeAgjmim32.exeAjhiei32.exeAboaff32.exeAcqnnndl.exeAkhfoldn.exeBccjdnbi.exeBnhoag32.exeBpjkiogm.exeBgqcjlhp.exeBibpad32.exeBaigca32.exeBcgdom32.exeBffpki32.exeBpnddn32.exeBcjqdmla.exeBfhmqhkd.exeBmbemb32.exeBpqain32.exeCemjae32.exeClgbno32.exeCofnjj32.exeCepfgdnj.exeCikbhc32.exeCjmopkla.exeCdecha32.exeCkolek32.exeCojhejbh.exeCaidaeak.exeCedpbd32.exeChcloo32.exeCffljlpc.exeComdkipe.exeCmpdgf32.exeCpnaca32.exeCdjmcpnl.exeCfhiplmp.exeCkcepj32.exeCmbalfem.exeDanmmd32.exeDbojdmcd.exeDgjfek32.exepid process 2320 Pahogc32.exe 2280 Phbgcnig.exe 2760 Pqnlhpfb.exe 2808 Pdihiook.exe 3016 Pkcpei32.exe 2900 Pmdmmalf.exe 2644 Pdldnomh.exe 2160 Qmgibqjc.exe 2308 Qoeeolig.exe 2716 Qfonkfqd.exe 764 Qinjgbpg.exe 2672 Qogbdl32.exe 1560 Afajafoa.exe 2064 Ajmfad32.exe 300 Acekjjmk.exe 1524 Abhkfg32.exe 1116 Aibcba32.exe 2372 Amnocpdk.exe 1080 Anolkh32.exe 1512 Aidphq32.exe 2040 Aoohekal.exe 884 Anahqh32.exe 2256 Aigmnqgm.exe 2528 Agjmim32.exe 1920 Ajhiei32.exe 2552 Aboaff32.exe 2380 Acqnnndl.exe 2816 Akhfoldn.exe 3020 Bccjdnbi.exe 2176 Bnhoag32.exe 2624 Bpjkiogm.exe 2688 Bgqcjlhp.exe 1300 Bibpad32.exe 2848 Baigca32.exe 2976 Bcgdom32.exe 2836 Bffpki32.exe 1452 Bpnddn32.exe 2144 Bcjqdmla.exe 2148 Bfhmqhkd.exe 1632 Bmbemb32.exe 584 Bpqain32.exe 284 Cemjae32.exe 2800 Clgbno32.exe 448 Cofnjj32.exe 2416 Cepfgdnj.exe 2500 Cikbhc32.exe 928 Cjmopkla.exe 1336 Cdecha32.exe 1492 Ckolek32.exe 2356 Cojhejbh.exe 2192 Caidaeak.exe 2824 Cedpbd32.exe 2828 Chcloo32.exe 2628 Cffljlpc.exe 2616 Comdkipe.exe 1952 Cmpdgf32.exe 1356 Cpnaca32.exe 2852 Cdjmcpnl.exe 296 Cfhiplmp.exe 452 Ckcepj32.exe 2028 Cmbalfem.exe 1036 Danmmd32.exe 1964 Dbojdmcd.exe 1672 Dgjfek32.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exePahogc32.exePhbgcnig.exePqnlhpfb.exePdihiook.exePkcpei32.exePmdmmalf.exePdldnomh.exeQmgibqjc.exeQoeeolig.exeQfonkfqd.exeQinjgbpg.exeQogbdl32.exeAfajafoa.exeAjmfad32.exeAcekjjmk.exeAbhkfg32.exeAibcba32.exeAmnocpdk.exeAnolkh32.exeAidphq32.exeAoohekal.exeAnahqh32.exeAigmnqgm.exeAgjmim32.exeAjhiei32.exeAboaff32.exeAcqnnndl.exeAkhfoldn.exeBccjdnbi.exeBnhoag32.exeBpjkiogm.exepid process 2120 Backdoor.Win32.Padodor.SK.exe 2120 Backdoor.Win32.Padodor.SK.exe 2320 Pahogc32.exe 2320 Pahogc32.exe 2280 Phbgcnig.exe 2280 Phbgcnig.exe 2760 Pqnlhpfb.exe 2760 Pqnlhpfb.exe 2808 Pdihiook.exe 2808 Pdihiook.exe 3016 Pkcpei32.exe 3016 Pkcpei32.exe 2900 Pmdmmalf.exe 2900 Pmdmmalf.exe 2644 Pdldnomh.exe 2644 Pdldnomh.exe 2160 Qmgibqjc.exe 2160 Qmgibqjc.exe 2308 Qoeeolig.exe 2308 Qoeeolig.exe 2716 Qfonkfqd.exe 2716 Qfonkfqd.exe 764 Qinjgbpg.exe 764 Qinjgbpg.exe 2672 Qogbdl32.exe 2672 Qogbdl32.exe 1560 Afajafoa.exe 1560 Afajafoa.exe 2064 Ajmfad32.exe 2064 Ajmfad32.exe 300 Acekjjmk.exe 300 Acekjjmk.exe 1524 Abhkfg32.exe 1524 Abhkfg32.exe 1116 Aibcba32.exe 1116 Aibcba32.exe 2372 Amnocpdk.exe 2372 Amnocpdk.exe 1080 Anolkh32.exe 1080 Anolkh32.exe 1512 Aidphq32.exe 1512 Aidphq32.exe 2040 Aoohekal.exe 2040 Aoohekal.exe 884 Anahqh32.exe 884 Anahqh32.exe 2256 Aigmnqgm.exe 2256 Aigmnqgm.exe 2528 Agjmim32.exe 2528 Agjmim32.exe 1920 Ajhiei32.exe 1920 Ajhiei32.exe 2552 Aboaff32.exe 2552 Aboaff32.exe 2380 Acqnnndl.exe 2380 Acqnnndl.exe 2816 Akhfoldn.exe 2816 Akhfoldn.exe 3020 Bccjdnbi.exe 3020 Bccjdnbi.exe 2176 Bnhoag32.exe 2176 Bnhoag32.exe 2624 Bpjkiogm.exe 2624 Bpjkiogm.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lkjjma32.exePkcbnanl.exeHhcmhdke.exeDiaaeepi.exeNidmfh32.exeOplelf32.exeFoojop32.exePlolgk32.exeCojhejbh.exeEgahen32.exeFbbofjnh.exeMhonngce.exeAbpjjeim.exeElipgofb.exeQogbdl32.exeAjhiei32.exeKaompi32.exeObjaha32.exeEddeladm.exeGbadjg32.exeHldlga32.exeNefdpjkl.exeFfkoai32.exeFamope32.exeQhjfgl32.exeCpfdhl32.exeOjomdoof.exeFindhdcb.exeHnmeen32.exeNijnln32.exeOoicid32.exePmgbao32.exeCjjkpe32.exeCfeepelg.exeAojabdlf.exeJgaiobjn.exeLqncaj32.exeBfioia32.exeJolghndm.exeMjhjdm32.exeOibmpl32.exeKfkpknkq.exeMaefamlh.exeInhanl32.exeCbblda32.exeDphmloih.exeGgnmbn32.exeCjlheehe.exeEelkeeah.exeEacljf32.exeGqdefddb.exeHihlqeib.exeAjmfad32.exeJkpbdq32.exeCehfkb32.exeFoccjood.exeBjebdfnn.exeOhojmjep.exeOeehln32.exeMbhlek32.exeEamilh32.exeNpdfhhhe.exePalepb32.exeBkbaii32.exedescription ioc process File created C:\Windows\SysWOW64\Ajhaomoi.dll Lkjjma32.exe File created C:\Windows\SysWOW64\Pnbojmmp.exe Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Hloiib32.exe Hhcmhdke.exe File created C:\Windows\SysWOW64\Dahifbpk.exe Diaaeepi.exe File created C:\Windows\SysWOW64\Nlcibc32.exe Nidmfh32.exe File opened for modification C:\Windows\SysWOW64\Objaha32.exe Oplelf32.exe File created C:\Windows\SysWOW64\Mjcial32.dll Foojop32.exe File created C:\Windows\SysWOW64\Pomhcg32.exe Plolgk32.exe File created C:\Windows\SysWOW64\Caidaeak.exe Cojhejbh.exe File created C:\Windows\SysWOW64\Efdhpjok.exe Egahen32.exe File opened for modification C:\Windows\SysWOW64\Ffmkfifa.exe Fbbofjnh.exe File created C:\Windows\SysWOW64\Gplaplgi.dll Mhonngce.exe File created C:\Windows\SysWOW64\Nmlnjo32.dll Abpjjeim.exe File opened for modification C:\Windows\SysWOW64\Eklqcl32.exe Elipgofb.exe File created C:\Windows\SysWOW64\Afajafoa.exe Qogbdl32.exe File created C:\Windows\SysWOW64\Aboaff32.exe Ajhiei32.exe File opened for modification C:\Windows\SysWOW64\Kdnild32.exe Kaompi32.exe File created C:\Windows\SysWOW64\Offmipej.exe Objaha32.exe File opened for modification C:\Windows\SysWOW64\Elkmmodo.exe Eddeladm.exe File created C:\Windows\SysWOW64\Gqdefddb.exe Gbadjg32.exe File created C:\Windows\SysWOW64\Hcldhnkk.exe Hldlga32.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nefdpjkl.exe File created C:\Windows\SysWOW64\Fdnolfon.exe Ffkoai32.exe File created C:\Windows\SysWOW64\Fpoolael.exe Famope32.exe File opened for modification C:\Windows\SysWOW64\Qgmfchei.exe Qhjfgl32.exe File opened for modification C:\Windows\SysWOW64\Cbepdhgc.exe Cpfdhl32.exe File opened for modification C:\Windows\SysWOW64\Oibmpl32.exe Ojomdoof.exe File created C:\Windows\SysWOW64\Gjpqpl32.exe Findhdcb.exe File opened for modification C:\Windows\SysWOW64\Halbai32.exe Hnmeen32.exe File created C:\Windows\SysWOW64\Gbpfqb32.dll Nijnln32.exe File opened for modification C:\Windows\SysWOW64\Oioggmmc.exe Ooicid32.exe File opened for modification C:\Windows\SysWOW64\Ppfomk32.exe Pmgbao32.exe File opened for modification C:\Windows\SysWOW64\Cacclpae.exe Cjjkpe32.exe File created C:\Windows\SysWOW64\Cehfkb32.exe Cfeepelg.exe File created C:\Windows\SysWOW64\Aacinhhc.dll Aojabdlf.exe File opened for modification C:\Windows\SysWOW64\Jkmeoa32.exe Jgaiobjn.exe File created C:\Windows\SysWOW64\Njlcmaba.dll Lqncaj32.exe File created C:\Windows\SysWOW64\Bjdkjpkb.exe Bfioia32.exe File created C:\Windows\SysWOW64\Ohbamn32.dll Jolghndm.exe File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Mjhjdm32.exe File opened for modification C:\Windows\SysWOW64\Omnipjni.exe Oibmpl32.exe File created C:\Windows\SysWOW64\Nogobaio.dll Kfkpknkq.exe File created C:\Windows\SysWOW64\Mccbmh32.exe Maefamlh.exe File created C:\Windows\SysWOW64\Iafnjg32.exe Inhanl32.exe File created C:\Windows\SysWOW64\Cepipm32.exe Cbblda32.exe File created C:\Windows\SysWOW64\Dddimn32.exe Dphmloih.exe File created C:\Windows\SysWOW64\Akgddhmc.dll Ggnmbn32.exe File created C:\Windows\SysWOW64\Cmjdaqgi.exe Cjlheehe.exe File opened for modification C:\Windows\SysWOW64\Elfcbo32.exe Eelkeeah.exe File opened for modification C:\Windows\SysWOW64\Eijdkcgn.exe Eacljf32.exe File created C:\Windows\SysWOW64\Gcbabpcf.exe Gqdefddb.exe File created C:\Windows\SysWOW64\Hmdhad32.exe Hihlqeib.exe File created C:\Windows\SysWOW64\Biggnm32.dll Ajmfad32.exe File created C:\Windows\SysWOW64\Jjbbpmgo.exe Jkpbdq32.exe File created C:\Windows\SysWOW64\Dhfcho32.dll Cehfkb32.exe File opened for modification C:\Windows\SysWOW64\Fbbofjnh.exe Foccjood.exe File opened for modification C:\Windows\SysWOW64\Bnqned32.exe Bjebdfnn.exe File opened for modification C:\Windows\SysWOW64\Olkfmi32.exe Ohojmjep.exe File created C:\Windows\SysWOW64\Odhhgkib.exe Oeehln32.exe File created C:\Windows\SysWOW64\Mqklqhpg.exe Mbhlek32.exe File created C:\Windows\SysWOW64\Fclidamd.dll Eamilh32.exe File opened for modification C:\Windows\SysWOW64\Noffdd32.exe Npdfhhhe.exe File created C:\Windows\SysWOW64\Iennnogo.dll Palepb32.exe File created C:\Windows\SysWOW64\Bjebdfnn.exe Bkbaii32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8444 8364 WerFault.exe Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Aigmnqgm.exeIfampo32.exeCeeieced.exeCpmjhk32.exeDahifbpk.exeMqnifg32.exeMnifja32.exeNajpll32.exeCblfdg32.exeHeikgh32.exeNdkhngdd.exeAohdmdoh.exeAjpepm32.exeBmpkqklh.exeBmbgfkje.exeFindhdcb.exeJagnlkjd.exeMejlalji.exeAobnniji.exeHjlioj32.exeJhbold32.exeAficjnpm.exePdihiook.exeFbbofjnh.exeHhcmhdke.exeBeackp32.exeOadkej32.exeLdpbpgoh.exeJofejpmc.exeLcdfnehp.exeLcfbdd32.exeMmadbjkk.exeNigafnck.exeInjndk32.exeKgnbnpkp.exeLhpglecl.exeJkmeoa32.exeMjpkqonj.exePhcpgm32.exeElipgofb.exePeedka32.exeDbncjf32.exeFcmben32.exeLdllgiek.exeMgedmb32.exeMqbbagjo.exeMjkndb32.exeNeqnqofm.exeOijjka32.exeMcqombic.exeAoohekal.exePhhjblpa.exeHmjlhfof.exeBiaign32.exeCjlheehe.exeFggkcl32.exeObhdcanc.exeCepfgdnj.exeFqglggcp.exeDaofpchf.exeCalcpm32.exeEnkpahon.exeDgjfek32.exeHpkompgg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aigmnqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifampo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmjhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahifbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnifja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblfdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heikgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkhngdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohdmdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Findhdcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagnlkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejlalji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdihiook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbofjnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcmhdke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beackp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbpgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofejpmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdfnehp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfbdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nigafnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbnpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkmeoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpkqonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcpgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elipgofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peedka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbncjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldllgiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbbagjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkndb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqnqofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijjka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoohekal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhjblpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjlhfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biaign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlheehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepfgdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqglggcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkpahon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjfek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkompgg.exe -
Modifies registry class 64 IoCs
Processes:
Ppfomk32.exePlolgk32.exeFqalaa32.exeNnoiio32.exeCaidaeak.exeHmjlhfof.exeHapklimq.exeNfidjbdg.exeEelkeeah.exeIeajkfmd.exeLhnkffeo.exeBgllgedi.exeLbcbjlmb.exeIfffkncm.exeKbgjkn32.exeFjlmpfhg.exeLlgjaeoj.exeFkecij32.exeIamdkfnc.exeMnaiol32.exeDllhhaep.exeEkcaonhe.exeCfnoogbo.exeCfpldf32.exeElfcbo32.exeLocjhqpa.exeOibmpl32.exeHmglajcd.exeMkaghg32.exeMbkpeake.exeBehilopf.exeBmnnkl32.exeKgclio32.exeQdlggg32.exeCmedlk32.exeCchbgi32.exeCffljlpc.exeDhplhc32.exeMfihkoal.exeJhdlad32.exeMbhlek32.exeAnolkh32.exeAoohekal.exeDdnfop32.exeKbigpn32.exeAjnpecbj.exeBeackp32.exeJedcpi32.exeJialfgcc.exeMobfgdcl.exeBpjkiogm.exeMlfacfpc.exeNpdfhhhe.exeBaojapfj.exePnbojmmp.exeKdnild32.exePkjphcff.exeFbbofjnh.exeJhafhe32.exeNhakcfab.exeNpaich32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqahmoc.dll" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfpeb32.dll" Fqalaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inaqlm32.dll" Caidaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqbqqjl.dll" Hmjlhfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hapklimq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplheofl.dll" Eelkeeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhnkffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgllgedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifffkncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngafd32.dll" Fjlmpfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcdfdcb.dll" Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caidaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmhhb32.dll" Dllhhaep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekcaonhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlamphei.dll" Cfnoogbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjaickl.dll" Elfcbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Locjhqpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iconoi32.dll" Hmglajcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbkpeake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjpfaqc.dll" Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgclio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdlggg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhplhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfihkoal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll" Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknhnalm.dll" Anolkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoohekal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnembih.dll" Ddnfop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghkn32.dll" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qggfio32.dll" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpjkiogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlfacfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfejbj.dll" Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaemgpd.dll" Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonlfc32.dll" Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npaich32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exePahogc32.exePhbgcnig.exePqnlhpfb.exePdihiook.exePkcpei32.exePmdmmalf.exePdldnomh.exeQmgibqjc.exeQoeeolig.exeQfonkfqd.exeQinjgbpg.exeQogbdl32.exeAfajafoa.exeAjmfad32.exeAcekjjmk.exedescription pid process target process PID 2120 wrote to memory of 2320 2120 Backdoor.Win32.Padodor.SK.exe Pahogc32.exe PID 2120 wrote to memory of 2320 2120 Backdoor.Win32.Padodor.SK.exe Pahogc32.exe PID 2120 wrote to memory of 2320 2120 Backdoor.Win32.Padodor.SK.exe Pahogc32.exe PID 2120 wrote to memory of 2320 2120 Backdoor.Win32.Padodor.SK.exe Pahogc32.exe PID 2320 wrote to memory of 2280 2320 Pahogc32.exe Phbgcnig.exe PID 2320 wrote to memory of 2280 2320 Pahogc32.exe Phbgcnig.exe PID 2320 wrote to memory of 2280 2320 Pahogc32.exe Phbgcnig.exe PID 2320 wrote to memory of 2280 2320 Pahogc32.exe Phbgcnig.exe PID 2280 wrote to memory of 2760 2280 Phbgcnig.exe Pqnlhpfb.exe PID 2280 wrote to memory of 2760 2280 Phbgcnig.exe Pqnlhpfb.exe PID 2280 wrote to memory of 2760 2280 Phbgcnig.exe Pqnlhpfb.exe PID 2280 wrote to memory of 2760 2280 Phbgcnig.exe Pqnlhpfb.exe PID 2760 wrote to memory of 2808 2760 Pqnlhpfb.exe Pdihiook.exe PID 2760 wrote to memory of 2808 2760 Pqnlhpfb.exe Pdihiook.exe PID 2760 wrote to memory of 2808 2760 Pqnlhpfb.exe Pdihiook.exe PID 2760 wrote to memory of 2808 2760 Pqnlhpfb.exe Pdihiook.exe PID 2808 wrote to memory of 3016 2808 Pdihiook.exe Pkcpei32.exe PID 2808 wrote to memory of 3016 2808 Pdihiook.exe Pkcpei32.exe PID 2808 wrote to memory of 3016 2808 Pdihiook.exe Pkcpei32.exe PID 2808 wrote to memory of 3016 2808 Pdihiook.exe Pkcpei32.exe PID 3016 wrote to memory of 2900 3016 Pkcpei32.exe Pmdmmalf.exe PID 3016 wrote to memory of 2900 3016 Pkcpei32.exe Pmdmmalf.exe PID 3016 wrote to memory of 2900 3016 Pkcpei32.exe Pmdmmalf.exe PID 3016 wrote to memory of 2900 3016 Pkcpei32.exe Pmdmmalf.exe PID 2900 wrote to memory of 2644 2900 Pmdmmalf.exe Pdldnomh.exe PID 2900 wrote to memory of 2644 2900 Pmdmmalf.exe Pdldnomh.exe PID 2900 wrote to memory of 2644 2900 Pmdmmalf.exe Pdldnomh.exe PID 2900 wrote to memory of 2644 2900 Pmdmmalf.exe Pdldnomh.exe PID 2644 wrote to memory of 2160 2644 Pdldnomh.exe Qmgibqjc.exe PID 2644 wrote to memory of 2160 2644 Pdldnomh.exe Qmgibqjc.exe PID 2644 wrote to memory of 2160 2644 Pdldnomh.exe Qmgibqjc.exe PID 2644 wrote to memory of 2160 2644 Pdldnomh.exe Qmgibqjc.exe PID 2160 wrote to memory of 2308 2160 Qmgibqjc.exe Qoeeolig.exe PID 2160 wrote to memory of 2308 2160 Qmgibqjc.exe Qoeeolig.exe PID 2160 wrote to memory of 2308 2160 Qmgibqjc.exe Qoeeolig.exe PID 2160 wrote to memory of 2308 2160 Qmgibqjc.exe Qoeeolig.exe PID 2308 wrote to memory of 2716 2308 Qoeeolig.exe Qfonkfqd.exe PID 2308 wrote to memory of 2716 2308 Qoeeolig.exe Qfonkfqd.exe PID 2308 wrote to memory of 2716 2308 Qoeeolig.exe Qfonkfqd.exe PID 2308 wrote to memory of 2716 2308 Qoeeolig.exe Qfonkfqd.exe PID 2716 wrote to memory of 764 2716 Qfonkfqd.exe Qinjgbpg.exe PID 2716 wrote to memory of 764 2716 Qfonkfqd.exe Qinjgbpg.exe PID 2716 wrote to memory of 764 2716 Qfonkfqd.exe Qinjgbpg.exe PID 2716 wrote to memory of 764 2716 Qfonkfqd.exe Qinjgbpg.exe PID 764 wrote to memory of 2672 764 Qinjgbpg.exe Qogbdl32.exe PID 764 wrote to memory of 2672 764 Qinjgbpg.exe Qogbdl32.exe PID 764 wrote to memory of 2672 764 Qinjgbpg.exe Qogbdl32.exe PID 764 wrote to memory of 2672 764 Qinjgbpg.exe Qogbdl32.exe PID 2672 wrote to memory of 1560 2672 Qogbdl32.exe Afajafoa.exe PID 2672 wrote to memory of 1560 2672 Qogbdl32.exe Afajafoa.exe PID 2672 wrote to memory of 1560 2672 Qogbdl32.exe Afajafoa.exe PID 2672 wrote to memory of 1560 2672 Qogbdl32.exe Afajafoa.exe PID 1560 wrote to memory of 2064 1560 Afajafoa.exe Ajmfad32.exe PID 1560 wrote to memory of 2064 1560 Afajafoa.exe Ajmfad32.exe PID 1560 wrote to memory of 2064 1560 Afajafoa.exe Ajmfad32.exe PID 1560 wrote to memory of 2064 1560 Afajafoa.exe Ajmfad32.exe PID 2064 wrote to memory of 300 2064 Ajmfad32.exe Acekjjmk.exe PID 2064 wrote to memory of 300 2064 Ajmfad32.exe Acekjjmk.exe PID 2064 wrote to memory of 300 2064 Ajmfad32.exe Acekjjmk.exe PID 2064 wrote to memory of 300 2064 Ajmfad32.exe Acekjjmk.exe PID 300 wrote to memory of 1524 300 Acekjjmk.exe Abhkfg32.exe PID 300 wrote to memory of 1524 300 Acekjjmk.exe Abhkfg32.exe PID 300 wrote to memory of 1524 300 Acekjjmk.exe Abhkfg32.exe PID 300 wrote to memory of 1524 300 Acekjjmk.exe Abhkfg32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe33⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe34⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe35⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe36⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe37⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe38⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe40⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe41⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe42⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe43⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe44⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe45⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe47⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe48⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe49⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe50⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe53⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe54⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe57⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe58⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe59⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe61⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe62⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe63⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe64⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe66⤵PID:900
-
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe67⤵PID:1744
-
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe68⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe69⤵PID:2792
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe70⤵PID:2452
-
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe71⤵PID:2940
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe72⤵PID:2908
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe73⤵PID:2504
-
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe74⤵PID:1028
-
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe75⤵PID:2864
-
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe76⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe77⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe78⤵PID:868
-
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1376 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe81⤵PID:2472
-
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe82⤵PID:988
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe83⤵PID:1392
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe84⤵PID:1000
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe85⤵PID:2100
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe86⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe87⤵PID:2932
-
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe88⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe89⤵PID:2948
-
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe91⤵PID:2860
-
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe93⤵PID:2680
-
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe94⤵PID:1876
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe95⤵PID:1364
-
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe96⤵PID:960
-
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe97⤵PID:2300
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe98⤵PID:1880
-
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe99⤵PID:1732
-
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe100⤵PID:2804
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe101⤵PID:2780
-
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe102⤵PID:2188
-
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe103⤵PID:2700
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe104⤵PID:1372
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe105⤵
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe106⤵PID:1528
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe108⤵PID:1752
-
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe109⤵PID:2464
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe110⤵PID:1864
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe111⤵PID:2420
-
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe112⤵PID:2756
-
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe113⤵PID:2820
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe114⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe115⤵PID:2444
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe117⤵PID:1576
-
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe119⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe120⤵PID:2584
-
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe121⤵PID:2084
-
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe122⤵PID:3028
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe123⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe124⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe125⤵PID:1896
-
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe126⤵PID:2052
-
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe127⤵PID:2200
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe128⤵PID:348
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe130⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe131⤵PID:2728
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe132⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe133⤵PID:3048
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe134⤵PID:2396
-
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe135⤵PID:612
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe136⤵PID:2428
-
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe137⤵PID:2896
-
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe138⤵PID:2720
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe139⤵PID:2880
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe140⤵PID:2632
-
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe141⤵PID:380
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe142⤵PID:1556
-
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe143⤵PID:2164
-
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe144⤵PID:2408
-
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe146⤵PID:2640
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe147⤵PID:2960
-
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe148⤵PID:2648
-
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe149⤵PID:1620
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe150⤵PID:1912
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe151⤵PID:1604
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe152⤵PID:2916
-
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe153⤵PID:2872
-
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe154⤵PID:2576
-
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe155⤵PID:1804
-
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe156⤵PID:772
-
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe157⤵PID:640
-
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe158⤵PID:2556
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe159⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe160⤵PID:1780
-
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe161⤵PID:2032
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe162⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe163⤵PID:3036
-
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe164⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe165⤵PID:2124
-
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe166⤵PID:2076
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe167⤵PID:2228
-
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe168⤵PID:1740
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe169⤵PID:2924
-
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe170⤵PID:1048
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe171⤵
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe172⤵PID:1948
-
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe173⤵PID:1600
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe174⤵PID:1088
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe175⤵PID:2092
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe176⤵
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe177⤵PID:3120
-
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe178⤵PID:3160
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe179⤵PID:3200
-
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe180⤵PID:3240
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe181⤵
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe182⤵PID:3320
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe183⤵PID:3360
-
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe184⤵PID:3400
-
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe185⤵PID:3440
-
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe186⤵PID:3480
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe187⤵PID:3520
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe188⤵PID:3560
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe189⤵PID:3600
-
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe190⤵
- System Location Discovery: System Language Discovery
PID:3640 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe191⤵PID:3680
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe192⤵PID:3720
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe193⤵PID:3760
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe194⤵PID:3800
-
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe195⤵PID:3840
-
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe196⤵PID:3868
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe197⤵PID:3892
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe198⤵PID:3932
-
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe199⤵PID:3972
-
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe200⤵PID:4000
-
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe201⤵PID:4024
-
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe202⤵
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe203⤵PID:2276
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe204⤵PID:3132
-
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe205⤵PID:3172
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe206⤵PID:3232
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe207⤵PID:3272
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe208⤵PID:3336
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe209⤵PID:3376
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe210⤵PID:3428
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe211⤵PID:3488
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe212⤵PID:3532
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe213⤵PID:3580
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe214⤵PID:3632
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe215⤵PID:3676
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe216⤵PID:3732
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe217⤵
- System Location Discovery: System Language Discovery
PID:3796 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe218⤵PID:3828
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe219⤵PID:3884
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe220⤵PID:3940
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe221⤵
- Drops file in System32 directory
PID:3996 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe223⤵PID:3076
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe224⤵
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe225⤵PID:3208
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe226⤵
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe227⤵
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe229⤵PID:3448
-
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe230⤵PID:3508
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe231⤵PID:3552
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe232⤵PID:3628
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe233⤵PID:3704
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe234⤵PID:3744
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe235⤵PID:3836
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe236⤵PID:3876
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe237⤵
- Drops file in System32 directory
PID:3956 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe238⤵PID:4012
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe239⤵PID:4076
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe240⤵PID:3112
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe241⤵PID:3216
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe242⤵PID:3268