Analysis
-
max time kernel
20s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:14
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
264KB
-
MD5
aceaf1f59a28ced9bd6f8684a304bd60
-
SHA1
76ba20678a6a810bb62472dbff5b5b301f778750
-
SHA256
120b17ce570df008b3057d9e65e9e1f2b434ad560e77fff80807c4c862b1ef3f
-
SHA512
b8d647537548dd51a85dd6285a6db3bc02a172b6dad60819b95fcec8ed177d55238e88b4d2fff007acd198e11f814179be2c8335b9674defd76fdfb8b200f556
-
SSDEEP
6144:ubWiypZ0htd4pui6yYPaIGck72siBTQtpui6yYPaIGckv:ziypFpV6yYPc2siBTspV6yYPo
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kfbfkmeh.exeFogibnha.exeGcgnnlle.exeMgjnhaco.exeOpnbbe32.exeQgmpibam.exeHllmcc32.exeOanefo32.exeDaofpchf.exeEihgfd32.exeOhncbdbd.exeBjkhdacm.exeIihiphln.exeNnafnopi.exePmmeon32.exeAnjlebjc.exeCcbphk32.exeIedfqeka.exeLdpbpgoh.exeLqejbiim.exeNfahomfd.exeOekjjl32.exePaknelgk.exeEddeladm.exeFhbnbpjc.exeGepafc32.exeMobfgdcl.exeKnbhlkkc.exeQododfek.exeDmmmfc32.exeEpbpbnan.exeAficjnpm.exeFchijone.exeAggiigmn.exeEcbhdi32.exeLclicpkm.exeOibmpl32.exeBjdkjpkb.exeBaojapfj.exeJefpeh32.exeLhknaf32.exeMbcoio32.exeDhpemm32.exeKekiphge.exePkoicb32.exeKdjccf32.exeIjclol32.exeKoaqcn32.exeKdbbgdjj.exeAflfjc32.exeIegjqk32.exeLcomce32.exeFlhmfbim.exeHnjbeh32.exeLqcmmjko.exeDhkkbmnp.exeLhnkffeo.exeClojhf32.exeKcdjoaee.exeHnheohcl.exeHifpke32.exeCnfqccna.exeGmpjagfa.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbfkmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fogibnha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgnnlle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgmpibam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hllmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanefo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eihgfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnafnopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anjlebjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbphk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqejbiim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhbnbpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mobfgdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbhlkkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fchijone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecbhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lclicpkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oibmpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jefpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijclol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aflfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iegjqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqcmmjko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcdjoaee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnheohcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmpjagfa.exe -
Executes dropped EXE 64 IoCs
Processes:
Elnqmd32.exeFchijone.exeFffefjmi.exeFheabelm.exeFcjeon32.exeFhgnge32.exeFkjdopeh.exeFdbhge32.exeFgadda32.exeGkomjo32.exeGmpjagfa.exeGqnbhf32.exeGcmoda32.exeGfmgelil.exeGmgpbf32.exeHllmcc32.exeHeealhla.exeHhcmhdke.exeHpjeialg.exeHalbai32.exeHibjbgbh.exeHlafnbal.exeHanogipc.exeHlccdboi.exeHmeolj32.exeHndlem32.exeIabhah32.exeImiigiab.exeIdcacc32.exeIjmipn32.exeIlofhffj.exeIegjqk32.exeIibfajdc.exeIfffkncm.exeIiecgjba.exeIlcoce32.exeIpokcdjn.exeJlelhe32.exeJbpdeogo.exeJenpajfb.exeJkkija32.exeJofejpmc.exeJoiappkp.exeJnkakl32.exeJdejhfig.exeJhafhe32.exeJkpbdq32.exeJplkmgol.exeJgfcja32.exeJjdofm32.exeJpogbgmi.exeKdjccf32.exeKcmcoblm.exeKnbhlkkc.exeKoddccaa.exeKcopdb32.exeKgkleabc.exeKhlili32.exeKpcqnf32.exeKcamjb32.exeKjleflod.exeKljabgnh.exeKcdjoaee.exeKfbfkmeh.exepid process 2408 Elnqmd32.exe 2544 Fchijone.exe 2756 Fffefjmi.exe 3004 Fheabelm.exe 2640 Fcjeon32.exe 2660 Fhgnge32.exe 2316 Fkjdopeh.exe 1824 Fdbhge32.exe 2968 Fgadda32.exe 1348 Gkomjo32.exe 1804 Gmpjagfa.exe 1628 Gqnbhf32.exe 1764 Gcmoda32.exe 2176 Gfmgelil.exe 2360 Gmgpbf32.exe 1016 Hllmcc32.exe 3008 Heealhla.exe 1356 Hhcmhdke.exe 2156 Hpjeialg.exe 1556 Halbai32.exe 1236 Hibjbgbh.exe 1300 Hlafnbal.exe 2352 Hanogipc.exe 2272 Hlccdboi.exe 1672 Hmeolj32.exe 2344 Hndlem32.exe 2884 Iabhah32.exe 812 Imiigiab.exe 2780 Idcacc32.exe 2876 Ijmipn32.exe 2952 Ilofhffj.exe 2656 Iegjqk32.exe 2084 Iibfajdc.exe 1876 Ifffkncm.exe 2812 Iiecgjba.exe 2896 Ilcoce32.exe 2428 Ipokcdjn.exe 1980 Jlelhe32.exe 2956 Jbpdeogo.exe 872 Jenpajfb.exe 1836 Jkkija32.exe 2784 Jofejpmc.exe 956 Joiappkp.exe 1912 Jnkakl32.exe 2960 Jdejhfig.exe 2492 Jhafhe32.exe 1752 Jkpbdq32.exe 2324 Jplkmgol.exe 2172 Jgfcja32.exe 1624 Jjdofm32.exe 2904 Jpogbgmi.exe 2888 Kdjccf32.exe 2616 Kcmcoblm.exe 316 Knbhlkkc.exe 2248 Koddccaa.exe 2216 Kcopdb32.exe 592 Kgkleabc.exe 1508 Khlili32.exe 1640 Kpcqnf32.exe 2696 Kcamjb32.exe 2292 Kjleflod.exe 1136 Kljabgnh.exe 1828 Kcdjoaee.exe 2468 Kfbfkmeh.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeElnqmd32.exeFchijone.exeFffefjmi.exeFheabelm.exeFcjeon32.exeFhgnge32.exeFkjdopeh.exeFdbhge32.exeFgadda32.exeGkomjo32.exeGmpjagfa.exeGqnbhf32.exeGcmoda32.exeGfmgelil.exeGmgpbf32.exeHllmcc32.exeHeealhla.exeHhcmhdke.exeHpjeialg.exeHalbai32.exeHibjbgbh.exeHlafnbal.exeHanogipc.exeHlccdboi.exeHmeolj32.exeHndlem32.exeIabhah32.exeImiigiab.exeIdcacc32.exeIjmipn32.exeIlofhffj.exepid process 3056 Backdoor.Win32.Padodor.SK.exe 3056 Backdoor.Win32.Padodor.SK.exe 2408 Elnqmd32.exe 2408 Elnqmd32.exe 2544 Fchijone.exe 2544 Fchijone.exe 2756 Fffefjmi.exe 2756 Fffefjmi.exe 3004 Fheabelm.exe 3004 Fheabelm.exe 2640 Fcjeon32.exe 2640 Fcjeon32.exe 2660 Fhgnge32.exe 2660 Fhgnge32.exe 2316 Fkjdopeh.exe 2316 Fkjdopeh.exe 1824 Fdbhge32.exe 1824 Fdbhge32.exe 2968 Fgadda32.exe 2968 Fgadda32.exe 1348 Gkomjo32.exe 1348 Gkomjo32.exe 1804 Gmpjagfa.exe 1804 Gmpjagfa.exe 1628 Gqnbhf32.exe 1628 Gqnbhf32.exe 1764 Gcmoda32.exe 1764 Gcmoda32.exe 2176 Gfmgelil.exe 2176 Gfmgelil.exe 2360 Gmgpbf32.exe 2360 Gmgpbf32.exe 1016 Hllmcc32.exe 1016 Hllmcc32.exe 3008 Heealhla.exe 3008 Heealhla.exe 1356 Hhcmhdke.exe 1356 Hhcmhdke.exe 2156 Hpjeialg.exe 2156 Hpjeialg.exe 1556 Halbai32.exe 1556 Halbai32.exe 1236 Hibjbgbh.exe 1236 Hibjbgbh.exe 1300 Hlafnbal.exe 1300 Hlafnbal.exe 2352 Hanogipc.exe 2352 Hanogipc.exe 2272 Hlccdboi.exe 2272 Hlccdboi.exe 1672 Hmeolj32.exe 1672 Hmeolj32.exe 2344 Hndlem32.exe 2344 Hndlem32.exe 2884 Iabhah32.exe 2884 Iabhah32.exe 812 Imiigiab.exe 812 Imiigiab.exe 2780 Idcacc32.exe 2780 Idcacc32.exe 2876 Ijmipn32.exe 2876 Ijmipn32.exe 2952 Ilofhffj.exe 2952 Ilofhffj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Peedka32.exeEcploipa.exeEhmdgp32.exeFgnadkic.exeBjdkjpkb.exeGkomjo32.exeBgdibkam.exePebpkk32.exeAlqnah32.exeJlelhe32.exeAmohfo32.exeMgjnhaco.exeQgjccb32.exeMjpkqonj.exePcghof32.exeImiigiab.exeJkpbdq32.exeKhlili32.exePegqpacp.exeAggiigmn.exeCicalakk.exeEaeipfei.exePhqmgg32.exeHlafnbal.exeCaifjn32.exeCnnnnh32.exeHjacjifm.exeMkndhabp.exeAficjnpm.exeBkpeci32.exeDiaaeepi.exePiicpk32.exeIlofhffj.exeMeabakda.exeQkffng32.exePplaki32.exeLjnnko32.exeLcomce32.exeBefmfpbi.exeIliebpfc.exeJlnklcej.exeEcbhdi32.exeBnqned32.exeGdmdacnn.exeMobfgdcl.exeGcmoda32.exeLomgjb32.exeHpjeialg.exeAknlofim.exeOabkom32.exeOagoep32.exeKpcqnf32.exeCbiiog32.exeLqipkhbj.exeKcopdb32.exeFolfoj32.exeJioopgef.exeFheabelm.exeIppdgc32.exeJefpeh32.exeNncbdomg.exeObmnna32.exedescription ioc process File created C:\Windows\SysWOW64\Ipnlibhd.dll Peedka32.exe File opened for modification C:\Windows\SysWOW64\Eeohkeoe.exe Ecploipa.exe File created C:\Windows\SysWOW64\Ofehob32.dll Ehmdgp32.exe File created C:\Windows\SysWOW64\Kgigbp32.dll Fgnadkic.exe File created C:\Windows\SysWOW64\Lbhnia32.dll Bjdkjpkb.exe File created C:\Windows\SysWOW64\Gmpjagfa.exe Gkomjo32.exe File created C:\Windows\SysWOW64\Bkpeci32.exe Bgdibkam.exe File opened for modification C:\Windows\SysWOW64\Phqmgg32.exe Pebpkk32.exe File created C:\Windows\SysWOW64\Binbknik.dll Alqnah32.exe File opened for modification C:\Windows\SysWOW64\Jbpdeogo.exe Jlelhe32.exe File created C:\Windows\SysWOW64\Mfmhch32.dll Amohfo32.exe File opened for modification C:\Windows\SysWOW64\Mikjpiim.exe Mgjnhaco.exe File created C:\Windows\SysWOW64\Mqdkghnj.dll Qgjccb32.exe File created C:\Windows\SysWOW64\Lgghom32.dll Mjpkqonj.exe File created C:\Windows\SysWOW64\Pgbdodnh.exe Pcghof32.exe File created C:\Windows\SysWOW64\Ghmekc32.dll Imiigiab.exe File created C:\Windows\SysWOW64\Iijbfecp.dll Jkpbdq32.exe File created C:\Windows\SysWOW64\Ljnnefda.dll Khlili32.exe File created C:\Windows\SysWOW64\Nilpge32.dll Pegqpacp.exe File opened for modification C:\Windows\SysWOW64\Aihfap32.exe Aggiigmn.exe File opened for modification C:\Windows\SysWOW64\Cpmjhk32.exe Cicalakk.exe File created C:\Windows\SysWOW64\Eddeladm.exe Eaeipfei.exe File created C:\Windows\SysWOW64\Pkoicb32.exe Phqmgg32.exe File opened for modification C:\Windows\SysWOW64\Hanogipc.exe Hlafnbal.exe File created C:\Windows\SysWOW64\Cchbgi32.exe Caifjn32.exe File created C:\Windows\SysWOW64\Ejobie32.dll Cnnnnh32.exe File opened for modification C:\Windows\SysWOW64\Hidcef32.exe Hjacjifm.exe File created C:\Windows\SysWOW64\Mnmpdlac.exe Mkndhabp.exe File created C:\Windows\SysWOW64\Ahgofi32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Bckjhl32.exe Bkpeci32.exe File created C:\Windows\SysWOW64\Mmhadf32.dll Diaaeepi.exe File opened for modification C:\Windows\SysWOW64\Plgolf32.exe Piicpk32.exe File opened for modification C:\Windows\SysWOW64\Iegjqk32.exe Ilofhffj.exe File created C:\Windows\SysWOW64\Fkfklboi.dll Meabakda.exe File created C:\Windows\SysWOW64\Mqdkdffe.dll Qkffng32.exe File opened for modification C:\Windows\SysWOW64\Pgfjhcge.exe Pplaki32.exe File created C:\Windows\SysWOW64\Lmljgj32.exe Ljnnko32.exe File created C:\Windows\SysWOW64\Lneaqn32.exe Lcomce32.exe File created C:\Windows\SysWOW64\Lcmfeo32.dll Befmfpbi.exe File opened for modification C:\Windows\SysWOW64\Ipeaco32.exe Iliebpfc.exe File created C:\Windows\SysWOW64\Bnljlm32.dll Jlnklcej.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Eaeipfei.exe Ecbhdi32.exe File opened for modification C:\Windows\SysWOW64\Baojapfj.exe Bnqned32.exe File created C:\Windows\SysWOW64\Ggkqmoma.exe Gdmdacnn.exe File created C:\Windows\SysWOW64\Hcelfiph.dll Mobfgdcl.exe File created C:\Windows\SysWOW64\Gfmgelil.exe Gcmoda32.exe File created C:\Windows\SysWOW64\Jppgpfpi.dll Lomgjb32.exe File created C:\Windows\SysWOW64\Ejgccq32.dll Aggiigmn.exe File opened for modification C:\Windows\SysWOW64\Halbai32.exe Hpjeialg.exe File created C:\Windows\SysWOW64\Amohfo32.exe Aknlofim.exe File created C:\Windows\SysWOW64\Piicpk32.exe Oabkom32.exe File opened for modification C:\Windows\SysWOW64\Ohagbj32.exe Oagoep32.exe File opened for modification C:\Windows\SysWOW64\Kcamjb32.exe Kpcqnf32.exe File created C:\Windows\SysWOW64\Dhfcho32.dll Cbiiog32.exe File opened for modification C:\Windows\SysWOW64\Lhpglecl.exe Lqipkhbj.exe File opened for modification C:\Windows\SysWOW64\Kgkleabc.exe Kcopdb32.exe File opened for modification C:\Windows\SysWOW64\Fajbke32.exe Folfoj32.exe File created C:\Windows\SysWOW64\Jlnklcej.exe Jioopgef.exe File created C:\Windows\SysWOW64\Mjcial32.dll Fheabelm.exe File created C:\Windows\SysWOW64\Idkpganf.exe Ippdgc32.exe File created C:\Windows\SysWOW64\Jialfgcc.exe Jefpeh32.exe File created C:\Windows\SysWOW64\Naejdn32.dll Nncbdomg.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Obmnna32.exe -
Drops file in Windows directory 1 IoCs
Processes:
Dpapaj32.exedescription ioc process File created C:\Windows\system32†Eanenbmi.¾ll Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Okdmjdol.exeBgffhkoj.exeDogpdg32.exeEobchk32.exeGblkoham.exeBdcifi32.exeFffefjmi.exeDiaaeepi.exeMfjann32.exeOnfoin32.exeCenljmgq.exeCileqlmg.exeKcamjb32.exeNcfoch32.exeIhniaa32.exeLohccp32.exeNlqmmd32.exePgfjhcge.exePciddedl.exeFamope32.exeFcnkhmdp.exeJialfgcc.exeNhgnaehm.exeJkpbdq32.exeEaheeecg.exeLcjlnpmo.exeOippjl32.exePhnpagdp.exeJlelhe32.exeKdjccf32.exeDbifnj32.exeCcjoli32.exeCcbphk32.exeGifclb32.exeLhfefgkg.exeNfoghakb.exeKkoncdcp.exeFncpef32.exeHcdnhoac.exeMcckcbgp.exeCnmfdb32.exeHpkompgg.exeIdgglb32.exeBbmcibjp.exeOoicid32.exeFhbnbpjc.exeCbppnbhm.exeJnkakl32.exeJdejhfig.exeGbjojh32.exeOabkom32.exePmmeon32.exeKhlili32.exeNfidjbdg.exeQhjfgl32.exeNallalep.exeBaojapfj.exeAfffenbp.exeDnpciaef.exeIabhah32.exeMchoid32.exeNajpll32.exeBflbigdb.exeHlgimqhf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okdmjdol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eobchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffefjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaaeepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfoin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenljmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcamjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfoch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfjhcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkhmdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpbdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjlnpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oippjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlelhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjccf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbphk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkoncdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncpef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdnhoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcckcbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkompgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdejhfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfidjbdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjfgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nallalep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabhah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe -
Modifies registry class 64 IoCs
Processes:
Dnpciaef.exeLdpbpgoh.exePaknelgk.exeCbppnbhm.exeDjgkii32.exeGblkoham.exeLcjlnpmo.exeDpapaj32.exeMeabakda.exeDdblgn32.exeJpogbgmi.exeFmkilb32.exeGceailog.exeHcldhnkk.exeLhknaf32.exeKokjdb32.exeDjdgic32.exeMobfgdcl.exeJkkija32.exeJdhgnf32.exePcghof32.exeDogpdg32.exeEeohkeoe.exeGjjmijme.exeGhajacmo.exeKcopdb32.exeOhfqmi32.exeIbcnojnp.exeDiaaeepi.exeNfoghakb.exeFcjeon32.exeLfhhjklc.exeAqhhanig.exeJefpeh32.exeCcpcckck.exeImokehhl.exeFhgnge32.exeNjbdea32.exeBaojapfj.exeJlelhe32.exeMiehak32.exeJehlkhig.exeIhbcmaje.exeJaoqqflp.exeCbgmigeq.exeMnmpdlac.exeBjmeiq32.exeOijjka32.exeCpiqmlfm.exeFamope32.exeLnjcomcf.exeOnfoin32.exeBoogmgkl.exeNdmecgba.exeClojhf32.exeKoddccaa.exeHmkeke32.exeCmmagpef.exeGkomjo32.exeFgldnkkf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldpbpgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcpdkff.dll" Djgkii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepoia32.dll" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Eanenbmi.¾ll" Dpapaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbodaa32.dll" Jpogbgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgfma32.dll" Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibedepbh.dll" Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpeiada.dll" Lhknaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kokjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djdgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è Dpapaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll" Mobfgdcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkkija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdhgnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqilpbfo.dll" Eeohkeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfnge32.dll" Gjjmijme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgglgc32.dll" Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohfqmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibcnojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aqhhanig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbefdnjd.dll" Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhblm32.dll" Fhgnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfefh32.dll" Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckemgnc.dll" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiegdegb.dll" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jehlkhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdaldla.dll" Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®" Dpapaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liolokfg.dll" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Famope32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnjcomcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epilaieh.dll" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadlijdb.dll" Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngfpmcbo.dll" Gkomjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeobp32.dll" Fgldnkkf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeElnqmd32.exeFchijone.exeFffefjmi.exeFheabelm.exeFcjeon32.exeFhgnge32.exeFkjdopeh.exeFdbhge32.exeFgadda32.exeGkomjo32.exeGmpjagfa.exeGqnbhf32.exeGcmoda32.exeGfmgelil.exeGmgpbf32.exedescription pid process target process PID 3056 wrote to memory of 2408 3056 Backdoor.Win32.Padodor.SK.exe Elnqmd32.exe PID 3056 wrote to memory of 2408 3056 Backdoor.Win32.Padodor.SK.exe Elnqmd32.exe PID 3056 wrote to memory of 2408 3056 Backdoor.Win32.Padodor.SK.exe Elnqmd32.exe PID 3056 wrote to memory of 2408 3056 Backdoor.Win32.Padodor.SK.exe Elnqmd32.exe PID 2408 wrote to memory of 2544 2408 Elnqmd32.exe Fchijone.exe PID 2408 wrote to memory of 2544 2408 Elnqmd32.exe Fchijone.exe PID 2408 wrote to memory of 2544 2408 Elnqmd32.exe Fchijone.exe PID 2408 wrote to memory of 2544 2408 Elnqmd32.exe Fchijone.exe PID 2544 wrote to memory of 2756 2544 Fchijone.exe Fffefjmi.exe PID 2544 wrote to memory of 2756 2544 Fchijone.exe Fffefjmi.exe PID 2544 wrote to memory of 2756 2544 Fchijone.exe Fffefjmi.exe PID 2544 wrote to memory of 2756 2544 Fchijone.exe Fffefjmi.exe PID 2756 wrote to memory of 3004 2756 Fffefjmi.exe Fheabelm.exe PID 2756 wrote to memory of 3004 2756 Fffefjmi.exe Fheabelm.exe PID 2756 wrote to memory of 3004 2756 Fffefjmi.exe Fheabelm.exe PID 2756 wrote to memory of 3004 2756 Fffefjmi.exe Fheabelm.exe PID 3004 wrote to memory of 2640 3004 Fheabelm.exe Fcjeon32.exe PID 3004 wrote to memory of 2640 3004 Fheabelm.exe Fcjeon32.exe PID 3004 wrote to memory of 2640 3004 Fheabelm.exe Fcjeon32.exe PID 3004 wrote to memory of 2640 3004 Fheabelm.exe Fcjeon32.exe PID 2640 wrote to memory of 2660 2640 Fcjeon32.exe Fhgnge32.exe PID 2640 wrote to memory of 2660 2640 Fcjeon32.exe Fhgnge32.exe PID 2640 wrote to memory of 2660 2640 Fcjeon32.exe Fhgnge32.exe PID 2640 wrote to memory of 2660 2640 Fcjeon32.exe Fhgnge32.exe PID 2660 wrote to memory of 2316 2660 Fhgnge32.exe Fkjdopeh.exe PID 2660 wrote to memory of 2316 2660 Fhgnge32.exe Fkjdopeh.exe PID 2660 wrote to memory of 2316 2660 Fhgnge32.exe Fkjdopeh.exe PID 2660 wrote to memory of 2316 2660 Fhgnge32.exe Fkjdopeh.exe PID 2316 wrote to memory of 1824 2316 Fkjdopeh.exe Fdbhge32.exe PID 2316 wrote to memory of 1824 2316 Fkjdopeh.exe Fdbhge32.exe PID 2316 wrote to memory of 1824 2316 Fkjdopeh.exe Fdbhge32.exe PID 2316 wrote to memory of 1824 2316 Fkjdopeh.exe Fdbhge32.exe PID 1824 wrote to memory of 2968 1824 Fdbhge32.exe Fgadda32.exe PID 1824 wrote to memory of 2968 1824 Fdbhge32.exe Fgadda32.exe PID 1824 wrote to memory of 2968 1824 Fdbhge32.exe Fgadda32.exe PID 1824 wrote to memory of 2968 1824 Fdbhge32.exe Fgadda32.exe PID 2968 wrote to memory of 1348 2968 Fgadda32.exe Gkomjo32.exe PID 2968 wrote to memory of 1348 2968 Fgadda32.exe Gkomjo32.exe PID 2968 wrote to memory of 1348 2968 Fgadda32.exe Gkomjo32.exe PID 2968 wrote to memory of 1348 2968 Fgadda32.exe Gkomjo32.exe PID 1348 wrote to memory of 1804 1348 Gkomjo32.exe Gmpjagfa.exe PID 1348 wrote to memory of 1804 1348 Gkomjo32.exe Gmpjagfa.exe PID 1348 wrote to memory of 1804 1348 Gkomjo32.exe Gmpjagfa.exe PID 1348 wrote to memory of 1804 1348 Gkomjo32.exe Gmpjagfa.exe PID 1804 wrote to memory of 1628 1804 Gmpjagfa.exe Gqnbhf32.exe PID 1804 wrote to memory of 1628 1804 Gmpjagfa.exe Gqnbhf32.exe PID 1804 wrote to memory of 1628 1804 Gmpjagfa.exe Gqnbhf32.exe PID 1804 wrote to memory of 1628 1804 Gmpjagfa.exe Gqnbhf32.exe PID 1628 wrote to memory of 1764 1628 Gqnbhf32.exe Gcmoda32.exe PID 1628 wrote to memory of 1764 1628 Gqnbhf32.exe Gcmoda32.exe PID 1628 wrote to memory of 1764 1628 Gqnbhf32.exe Gcmoda32.exe PID 1628 wrote to memory of 1764 1628 Gqnbhf32.exe Gcmoda32.exe PID 1764 wrote to memory of 2176 1764 Gcmoda32.exe Gfmgelil.exe PID 1764 wrote to memory of 2176 1764 Gcmoda32.exe Gfmgelil.exe PID 1764 wrote to memory of 2176 1764 Gcmoda32.exe Gfmgelil.exe PID 1764 wrote to memory of 2176 1764 Gcmoda32.exe Gfmgelil.exe PID 2176 wrote to memory of 2360 2176 Gfmgelil.exe Gmgpbf32.exe PID 2176 wrote to memory of 2360 2176 Gfmgelil.exe Gmgpbf32.exe PID 2176 wrote to memory of 2360 2176 Gfmgelil.exe Gmgpbf32.exe PID 2176 wrote to memory of 2360 2176 Gfmgelil.exe Gmgpbf32.exe PID 2360 wrote to memory of 1016 2360 Gmgpbf32.exe Hllmcc32.exe PID 2360 wrote to memory of 1016 2360 Gmgpbf32.exe Hllmcc32.exe PID 2360 wrote to memory of 1016 2360 Gmgpbf32.exe Hllmcc32.exe PID 2360 wrote to memory of 1016 2360 Gmgpbf32.exe Hllmcc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe34⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe35⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe36⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe37⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe38⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe40⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe41⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe43⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe44⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe47⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe49⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe50⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe51⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe52⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe59⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe63⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe64⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe67⤵PID:1048
-
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe68⤵PID:1736
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe69⤵
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe70⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe71⤵PID:1968
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe72⤵PID:2772
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe73⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe74⤵PID:2600
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe75⤵PID:1020
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe76⤵PID:1032
-
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe77⤵PID:2000
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe78⤵PID:1636
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe79⤵PID:1936
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe81⤵PID:3064
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe83⤵PID:2644
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe84⤵PID:1696
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe85⤵PID:1412
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2320 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe87⤵PID:2632
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe88⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe89⤵PID:2364
-
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe90⤵PID:2664
-
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe91⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe92⤵PID:2924
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe93⤵PID:2928
-
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe94⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe95⤵PID:3024
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe96⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe97⤵PID:700
-
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe98⤵PID:1512
-
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe99⤵PID:2860
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe100⤵PID:2836
-
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe101⤵PID:2624
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe102⤵PID:2744
-
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe103⤵PID:2508
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe104⤵PID:2144
-
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe106⤵PID:852
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe107⤵PID:1272
-
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe109⤵PID:1276
-
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe110⤵PID:2060
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe112⤵PID:2852
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe113⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe114⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe115⤵PID:572
-
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe116⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe117⤵PID:1296
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe118⤵PID:1364
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe119⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe120⤵PID:2552
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe121⤵PID:2028
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe122⤵PID:1932
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe123⤵PID:2020
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe124⤵PID:3060
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe125⤵PID:2936
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe126⤵PID:1088
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe127⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe128⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe129⤵PID:1288
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe130⤵PID:2228
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe131⤵PID:2708
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe132⤵PID:532
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe133⤵PID:1688
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe134⤵PID:884
-
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe135⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe136⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe138⤵PID:1920
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe139⤵PID:444
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe140⤵PID:1760
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe141⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe142⤵PID:2832
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe143⤵PID:2824
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe144⤵PID:2056
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe145⤵PID:680
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe146⤵PID:1580
-
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe147⤵PID:1652
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe148⤵PID:2648
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe149⤵PID:2532
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe150⤵
- Drops file in System32 directory
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe151⤵PID:848
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe152⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe153⤵PID:2136
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe154⤵
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe155⤵PID:2076
-
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe156⤵
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe157⤵PID:1808
-
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe158⤵PID:1684
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe159⤵PID:1292
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe160⤵PID:3012
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe161⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe162⤵PID:2220
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe163⤵PID:1660
-
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe164⤵
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe166⤵PID:2788
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe167⤵PID:1084
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe168⤵PID:2760
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3104 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe170⤵
- Modifies registry class
PID:3160 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe171⤵
- Drops file in System32 directory
PID:3208 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe172⤵
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe173⤵PID:3288
-
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe174⤵PID:3328
-
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe175⤵PID:3368
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3408 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe177⤵PID:3448
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe178⤵PID:3488
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3528 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe180⤵PID:3568
-
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe181⤵PID:3608
-
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe182⤵PID:3648
-
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe183⤵PID:3688
-
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe184⤵PID:3728
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe185⤵PID:3768
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe186⤵PID:3808
-
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe187⤵PID:3848
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe188⤵
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe189⤵
- Drops file in System32 directory
PID:3928 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe190⤵
- Drops file in System32 directory
PID:3968 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe191⤵PID:4008
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe192⤵
- System Location Discovery: System Language Discovery
PID:4048 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe193⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe195⤵PID:544
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe196⤵
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe197⤵PID:3128
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe198⤵PID:3240
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe199⤵
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe200⤵PID:3344
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe201⤵PID:3392
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe202⤵PID:3444
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe204⤵PID:3544
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe205⤵PID:3580
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe206⤵PID:3640
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe207⤵
- Modifies registry class
PID:3660 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe208⤵
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe209⤵PID:3792
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe210⤵
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe211⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe212⤵
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe213⤵
- Drops file in System32 directory
PID:3980 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe214⤵PID:4056
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe215⤵PID:4084
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe217⤵PID:3092
-
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe218⤵PID:3096
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe219⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe220⤵PID:3276
-
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe221⤵PID:3356
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3424 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe223⤵PID:3480
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe224⤵PID:3520
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe225⤵
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe226⤵PID:3672
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe227⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3736 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe228⤵PID:3752
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe229⤵PID:3868
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3860 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe231⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4032 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe233⤵PID:1776
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe234⤵
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe235⤵PID:3144
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe236⤵PID:3216
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe237⤵PID:3336
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe238⤵PID:3388
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe239⤵PID:3428
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe240⤵PID:3560
-
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe241⤵
- System Location Discovery: System Language Discovery
PID:3628 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3720