Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 11:14
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
264KB
-
MD5
aceaf1f59a28ced9bd6f8684a304bd60
-
SHA1
76ba20678a6a810bb62472dbff5b5b301f778750
-
SHA256
120b17ce570df008b3057d9e65e9e1f2b434ad560e77fff80807c4c862b1ef3f
-
SHA512
b8d647537548dd51a85dd6285a6db3bc02a172b6dad60819b95fcec8ed177d55238e88b4d2fff007acd198e11f814179be2c8335b9674defd76fdfb8b200f556
-
SSDEEP
6144:ubWiypZ0htd4pui6yYPaIGck72siBTQtpui6yYPaIGckv:ziypFpV6yYPc2siBTspV6yYPo
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lmkbeg32.exeAfqifo32.exeDhdmfljb.exeGknkkmmj.exeJcmkjeko.exeGcmpgpkp.exeKmbfiokn.exeMpnngh32.exePgihanii.exeMhfmbl32.exeBfghlhmd.exeEflceb32.exeEedmlo32.exeJjbjlpga.exeHohcmjic.exeJmijnfgd.exeMalefbkc.exeAhkkhnpg.exeFkehdnee.exeDbdano32.exeDlmegd32.exeHcflch32.exeLokldg32.exeLfaqcclf.exeElfhmc32.exeGeflne32.exeCbnbhfde.exeJckeokan.exeJfdafa32.exeLijlii32.exeCfgace32.exeBgjjoi32.exeFlgadake.exeJfikaqme.exeQfjcep32.exeHjjldpdf.exeBbeobhlp.exeQghlmbae.exeLmkipncc.exeEcfhji32.exeFnqebaog.exeJegohe32.exeOdifjipd.exeIoafchai.exeIocchhof.exeIhlgan32.exeOhdbkh32.exeBichcc32.exeKpilekqj.exeCeeaim32.exeEemgkpef.exeNiglfl32.exeMgbpdgap.exeNecqbo32.exeJoobdfei.exeEpbkhhel.exeMmiealgc.exeGmfkjl32.exeKhfdlnab.exeMgpcohcb.exeNnfkgp32.exeDbphcpog.exePbdmdlie.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmkbeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqifo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdmfljb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcmkjeko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmpgpkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbfiokn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgihanii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhfmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfghlhmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflceb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedmlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbjlpga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohcmjic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmijnfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Malefbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahkkhnpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkehdnee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlmegd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcflch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lokldg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfaqcclf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfhmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geflne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbnbhfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jckeokan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lijlii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgjjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flgadake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfikaqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfjcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjjldpdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfghlhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbeobhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qghlmbae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkipncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecfhji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnqebaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jegohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odifjipd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioafchai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocchhof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihlgan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohdbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bichcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpilekqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceeaim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemgkpef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niglfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbpdgap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Necqbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joobdfei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbkhhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmiealgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khfdlnab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgpcohcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbphcpog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdmdlie.exe -
Executes dropped EXE 64 IoCs
Processes:
Ohcmpn32.exeObkahddl.exeOmaeem32.exeOdljjo32.exeOoangh32.exePijcpmhc.exePbbgicnd.exePmhkflnj.exePcbdcf32.exePfppoa32.exePfbmdabh.exePokanf32.exePiceflpi.exePomncfge.exeQfgfpp32.exeQejfkmem.exeQkdohg32.exeQfjcep32.exeQihoak32.exeAflpkpjm.exeAealll32.exeAfqifo32.exeAlmanf32.exeAbjfqpji.exeBblcfo32.exeBboplo32.exeBeoimjce.exeBpemkcck.exeBlknpdho.exeCdebfago.exeCefoni32.exeCmmgof32.exeCmpcdfll.exeCfhhml32.exeCifdjg32.exeCdlhgpag.exeCiiaogon.exeClgmkbna.exeCdnelpod.exeCmgjee32.exeDebnjgcp.exeDllffa32.exeDbfoclai.exeDibdeegc.exeDpllbp32.exeDeidjf32.exeDpoiho32.exeDekapfke.exeEpaemojk.exeEgknji32.exeElhfbp32.exeEdoncm32.exeEmgblc32.exeEpeohn32.exeEcdkdj32.exeEincadmf.exeEphlnn32.exeEcfhji32.exeEeddfe32.exeEippgckc.exeElolco32.exeEcidpiad.exeEibmlc32.exeFdhail32.exepid process 720 Ohcmpn32.exe 4928 Obkahddl.exe 2728 Omaeem32.exe 2976 Odljjo32.exe 3548 Ooangh32.exe 4308 Pijcpmhc.exe 2692 Pbbgicnd.exe 4032 Pmhkflnj.exe 2440 Pcbdcf32.exe 892 Pfppoa32.exe 4576 Pfbmdabh.exe 2952 Pokanf32.exe 4368 Piceflpi.exe 2664 Pomncfge.exe 1948 Qfgfpp32.exe 3424 Qejfkmem.exe 2856 Qkdohg32.exe 2548 Qfjcep32.exe 3960 Qihoak32.exe 3124 Aflpkpjm.exe 2448 Aealll32.exe 4244 Afqifo32.exe 2844 Almanf32.exe 1524 Abjfqpji.exe 3160 Bblcfo32.exe 324 Bboplo32.exe 4832 Beoimjce.exe 3920 Bpemkcck.exe 4992 Blknpdho.exe 4644 Cdebfago.exe 2968 Cefoni32.exe 4892 Cmmgof32.exe 4796 Cmpcdfll.exe 4816 Cfhhml32.exe 2608 Cifdjg32.exe 820 Cdlhgpag.exe 2268 Ciiaogon.exe 2740 Clgmkbna.exe 2236 Cdnelpod.exe 3948 Cmgjee32.exe 1928 Debnjgcp.exe 352 Dllffa32.exe 4404 Dbfoclai.exe 1768 Dibdeegc.exe 4856 Dpllbp32.exe 4452 Deidjf32.exe 4900 Dpoiho32.exe 2204 Dekapfke.exe 2908 Epaemojk.exe 2132 Egknji32.exe 3120 Elhfbp32.exe 5028 Edoncm32.exe 1684 Emgblc32.exe 1056 Epeohn32.exe 2660 Ecdkdj32.exe 1036 Eincadmf.exe 4572 Ephlnn32.exe 984 Ecfhji32.exe 2384 Eeddfe32.exe 1664 Eippgckc.exe 924 Elolco32.exe 1844 Ecidpiad.exe 2528 Eibmlc32.exe 1564 Fdhail32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Doqbifpl.exeDbgndoho.exeFlpkcbqm.exeIkcmmjkb.exeHcifmdeo.exeKjipmoai.exePdeffgff.exeLdfhgn32.exeGhqeihbb.exeAfpbkicl.exeOdaiodbp.exeCkfofe32.exeGcgqag32.exeOojalb32.exeClffalkf.exeEfhjjcpo.exeFbjjkble.exeFhllni32.exeJkhpogij.exeOeamcmmo.exeJcoioabf.exeLfodmdni.exeCjfclcpg.exeHohcmjic.exeMcggga32.exeFgfmeg32.exeNecqbo32.exePnknim32.exeMidfjnge.exeDbfoclai.exeKkmijf32.exeGbjlgj32.exeNehjmnei.exeHhnkppbf.exeHmmakk32.exeLimioiia.exeAhngmnnd.exeIhmnldib.exeDeagoa32.exePijcpmhc.exeDibdeegc.exeHcembe32.exeBpomem32.exeBqbohocd.exeCdnelpod.exeGipbck32.exeDbphcpog.exeAkmjdpac.exeFcpkph32.exeBihancje.exeLpjelibg.exeDebnjgcp.exeAbgcqjhp.exeDiopep32.exeCghgpgqd.exeAndqol32.exeKaihonhl.exeIofpnhmc.exeEekjep32.exeIjkdkq32.exeLaglkb32.exeDiamko32.exedescription ioc process File created C:\Windows\SysWOW64\Iddehb32.dll Doqbifpl.exe File created C:\Windows\SysWOW64\Onccdj32.dll Dbgndoho.exe File created C:\Windows\SysWOW64\Gjikhb32.dll Flpkcbqm.exe File created C:\Windows\SysWOW64\Ocaocfbb.dll Ikcmmjkb.exe File created C:\Windows\SysWOW64\Fffcpnjo.dll Hcifmdeo.exe File created C:\Windows\SysWOW64\Dijdif32.dll Kjipmoai.exe File created C:\Windows\SysWOW64\Enccibdi.dll Pdeffgff.exe File created C:\Windows\SysWOW64\Icjkef32.dll Ldfhgn32.exe File opened for modification C:\Windows\SysWOW64\Gipbck32.exe Ghqeihbb.exe File created C:\Windows\SysWOW64\Akmjdpac.exe Afpbkicl.exe File created C:\Windows\SysWOW64\Fcgpak32.dll Odaiodbp.exe File created C:\Windows\SysWOW64\Dbphcpog.exe Ckfofe32.exe File opened for modification C:\Windows\SysWOW64\Ggbmafnm.exe Gcgqag32.exe File created C:\Windows\SysWOW64\Oediim32.exe Oojalb32.exe File created C:\Windows\SysWOW64\Ndhqmknd.dll Clffalkf.exe File created C:\Windows\SysWOW64\Naennejb.dll Efhjjcpo.exe File created C:\Windows\SysWOW64\Fcmgpbjc.exe Fbjjkble.exe File created C:\Windows\SysWOW64\Fepmgm32.exe Fhllni32.exe File created C:\Windows\SysWOW64\Kcphpdil.exe Jkhpogij.exe File created C:\Windows\SysWOW64\Oejcki32.dll Oeamcmmo.exe File opened for modification C:\Windows\SysWOW64\Jfmekm32.exe Jcoioabf.exe File created C:\Windows\SysWOW64\Blobgill.dll Lfodmdni.exe File created C:\Windows\SysWOW64\Bhcdcbcl.dll Cjfclcpg.exe File created C:\Windows\SysWOW64\Pbblinfi.dll Hohcmjic.exe File created C:\Windows\SysWOW64\Mjaodkmo.exe Mcggga32.exe File created C:\Windows\SysWOW64\Fnqebaog.exe Fgfmeg32.exe File opened for modification C:\Windows\SysWOW64\Nkpijfgf.exe Necqbo32.exe File created C:\Windows\SysWOW64\Hpqkcc32.dll Pnknim32.exe File opened for modification C:\Windows\SysWOW64\Malnklgg.exe Midfjnge.exe File opened for modification C:\Windows\SysWOW64\Dibdeegc.exe Dbfoclai.exe File created C:\Windows\SysWOW64\Kbgafqla.exe Kkmijf32.exe File opened for modification C:\Windows\SysWOW64\Glbapoqh.exe Gbjlgj32.exe File created C:\Windows\SysWOW64\Nkebee32.exe Nehjmnei.exe File created C:\Windows\SysWOW64\Gdaejejc.dll Hhnkppbf.exe File created C:\Windows\SysWOW64\Qodhmn32.dll Hmmakk32.exe File opened for modification C:\Windows\SysWOW64\Lcbmlbig.exe Limioiia.exe File opened for modification C:\Windows\SysWOW64\Ajodef32.exe Ahngmnnd.exe File created C:\Windows\SysWOW64\Qimdklek.dll Ihmnldib.exe File created C:\Windows\SysWOW64\Dlkplk32.exe Deagoa32.exe File opened for modification C:\Windows\SysWOW64\Hohcmjic.exe Hhnkppbf.exe File opened for modification C:\Windows\SysWOW64\Pbbgicnd.exe Pijcpmhc.exe File created C:\Windows\SysWOW64\Mckfmq32.dll Dibdeegc.exe File created C:\Windows\SysWOW64\Gdjgppkk.dll Hcembe32.exe File opened for modification C:\Windows\SysWOW64\Bihancje.exe Bpomem32.exe File created C:\Windows\SysWOW64\Lbccec32.dll Bqbohocd.exe File created C:\Windows\SysWOW64\Qfeckiie.dll Cdnelpod.exe File created C:\Windows\SysWOW64\Edcfpa32.dll Gipbck32.exe File opened for modification C:\Windows\SysWOW64\Dendok32.exe Dbphcpog.exe File created C:\Windows\SysWOW64\Hnpnedno.dll Akmjdpac.exe File created C:\Windows\SysWOW64\Dpkhci32.dll Fcpkph32.exe File opened for modification C:\Windows\SysWOW64\Bgkaip32.exe Bihancje.exe File opened for modification C:\Windows\SysWOW64\Lmneemaq.exe Lpjelibg.exe File created C:\Windows\SysWOW64\Dllffa32.exe Debnjgcp.exe File created C:\Windows\SysWOW64\Afboah32.exe Abgcqjhp.exe File created C:\Windows\SysWOW64\Dolinf32.exe Diopep32.exe File created C:\Windows\SysWOW64\Cjfclcpg.exe Cghgpgqd.exe File created C:\Windows\SysWOW64\Ecnnqk32.dll Andqol32.exe File opened for modification C:\Windows\SysWOW64\Kplijk32.exe Kaihonhl.exe File created C:\Windows\SysWOW64\Mhfmom32.dll Kaihonhl.exe File created C:\Windows\SysWOW64\Ijkdkq32.exe Iofpnhmc.exe File created C:\Windows\SysWOW64\Cjkjpdog.dll Eekjep32.exe File created C:\Windows\SysWOW64\Ikmpcicg.exe Ijkdkq32.exe File opened for modification C:\Windows\SysWOW64\Ldfhgn32.exe Laglkb32.exe File created C:\Windows\SysWOW64\Jgflobdk.dll Diamko32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 12476 12976 WerFault.exe Mbldhn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dbfoclai.exeMhkgnkoj.exeGgoiap32.exeMjaodkmo.exeAfqifo32.exeDpoiho32.exeNhdicjfp.exeJckeokan.exeKjlcmdbb.exeFlpkcbqm.exeGlinjqhb.exeDpllbp32.exeJgcooaah.exeJjakkmpk.exeDpdogj32.exeCmmgof32.exeMgpcohcb.exeAnfmeldl.exeDehgejep.exeLimioiia.exeElolco32.exeIoffhn32.exeMidfjnge.exeAjodef32.exeQoocnpag.exeOgefqeaj.exeIgkadlcd.exeIabodcnj.exeMbldhn32.exeAflpkpjm.exeDbckcf32.exeJonlimkg.exeCnmebblf.exeGnanioad.exeOeamcmmo.exeMpqklh32.exeAdnbapjp.exeGaoihfoo.exeCfhhml32.exeGkcdfl32.exeKmppneal.exeFlmonbbp.exeAkenij32.exePgeogb32.exeIofpnhmc.exeElhfbp32.exeDpglmjoj.exeEoconenj.exeBkhceh32.exeDnienqbi.exeBeoimjce.exeBpomem32.exePdmikb32.exeHcifmdeo.exeClpppmqn.exeLjmmcbdp.exePdbbfadn.exeOolnabal.exeHgbonm32.exeQjcdih32.exeMobbdf32.exeMalefbkc.exeBnicai32.exeEflceb32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfoclai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhkgnkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggoiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaodkmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpoiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdicjfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckeokan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlcmdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkcbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glinjqhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpllbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcooaah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjakkmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdogj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmgof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgpcohcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfmeldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dehgejep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limioiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elolco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioffhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midfjnge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajodef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoocnpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogefqeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkadlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabodcnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbldhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflpkpjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbckcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jonlimkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmebblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnanioad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeamcmmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnbapjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaoihfoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcdfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmppneal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmonbbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akenij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgeogb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iofpnhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elhfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpglmjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoconenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhceh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnienqbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beoimjce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpomem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcifmdeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpppmqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljmmcbdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbbfadn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolnabal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbonm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjcdih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malefbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnicai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eflceb32.exe -
Modifies registry class 64 IoCs
Processes:
Elfhmc32.exeGplged32.exeCqghcn32.exeKclnfi32.exeJfikaqme.exeCapkim32.exeEjdonq32.exeEibmlc32.exeOdaiodbp.exeIcdhdfcj.exeDpoiho32.exeOahgnh32.exePgihanii.exeQihoak32.exeAbgcqjhp.exeLhjnfn32.exeEedmlo32.exeAnffje32.exeAlmanf32.exeDpllbp32.exePhkaqqoi.exeDnienqbi.exeGhbkdald.exeHmmakk32.exeIcciccmd.exeBghddp32.exeDiamko32.exeMhjpceko.exeEecfah32.exeGqkajk32.exeAokcjngj.exeCjomldfp.exeEejcki32.exeJobfdl32.exeNmedmj32.exeNgipjp32.exePkgaglpp.exeEnedio32.exeCbihmg32.exeIcdoolge.exeKaihonhl.exeGknkkmmj.exeIjgjpaao.exeLjephmgl.exeBeaohcmf.exeDfqdid32.exeFhiinbdo.exeCkfofe32.exeIibaeb32.exePfppoa32.exeHcifmdeo.exeCmgjee32.exeFckaeioa.exeDllffa32.exePnknim32.exeDijgjpip.exeAhpdcn32.exeMlbllc32.exeCiiaogon.exeOggbfdog.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdqfbai.dll" Elfhmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dheiop32.dll" Gplged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cqghcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kclnfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfikaqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beaeca32.dll" Capkim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejdonq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eibmlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcgpak32.dll" Odaiodbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icdhdfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eheani32.dll" Dpoiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnailf32.dll" Oahgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkgdlkh.dll" Pgihanii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qihoak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdngihbo.dll" Abgcqjhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhjnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldcodde.dll" Eedmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Almanf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpllbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkhdmeh.dll" Phkaqqoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnojon32.dll" Dnienqbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghbkdald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmmakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icciccmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bghddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Diamko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhjpceko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihjhq32.dll" Eecfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpjmf32.dll" Gqkajk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aokcjngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjomldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eejcki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jobfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmedmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidjgo32.dll" Ngipjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkgaglpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enedio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejecf32.dll" Cbihmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icdoolge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfmom32.dll" Kaihonhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgagnd32.dll" Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljephmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Beaohcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bampkqcn.dll" Dfqdid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koicbp32.dll" Fhiinbdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljccfoqj.dll" Ghbkdald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckfofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iibaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokai32.dll" Pfppoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpoiho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcifmdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgfpe32.dll" Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpngef32.dll" Cmgjee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fckaeioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhkja32.dll" Dllffa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnknim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkdhaje.dll" Dijgjpip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppehbl32.dll" Ahpdcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlbllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpjjj32.dll" Ciiaogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqkcc32.dll" Pnknim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejqdci32.dll" Oggbfdog.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeOhcmpn32.exeObkahddl.exeOmaeem32.exeOdljjo32.exeOoangh32.exePijcpmhc.exePbbgicnd.exePmhkflnj.exePcbdcf32.exePfppoa32.exePfbmdabh.exePokanf32.exePiceflpi.exePomncfge.exeQfgfpp32.exeQejfkmem.exeQkdohg32.exeQfjcep32.exeQihoak32.exeAflpkpjm.exeAealll32.exedescription pid process target process PID 1952 wrote to memory of 720 1952 Backdoor.Win32.Padodor.SK.exe Ohcmpn32.exe PID 1952 wrote to memory of 720 1952 Backdoor.Win32.Padodor.SK.exe Ohcmpn32.exe PID 1952 wrote to memory of 720 1952 Backdoor.Win32.Padodor.SK.exe Ohcmpn32.exe PID 720 wrote to memory of 4928 720 Ohcmpn32.exe Obkahddl.exe PID 720 wrote to memory of 4928 720 Ohcmpn32.exe Obkahddl.exe PID 720 wrote to memory of 4928 720 Ohcmpn32.exe Obkahddl.exe PID 4928 wrote to memory of 2728 4928 Obkahddl.exe Omaeem32.exe PID 4928 wrote to memory of 2728 4928 Obkahddl.exe Omaeem32.exe PID 4928 wrote to memory of 2728 4928 Obkahddl.exe Omaeem32.exe PID 2728 wrote to memory of 2976 2728 Omaeem32.exe Odljjo32.exe PID 2728 wrote to memory of 2976 2728 Omaeem32.exe Odljjo32.exe PID 2728 wrote to memory of 2976 2728 Omaeem32.exe Odljjo32.exe PID 2976 wrote to memory of 3548 2976 Odljjo32.exe Ooangh32.exe PID 2976 wrote to memory of 3548 2976 Odljjo32.exe Ooangh32.exe PID 2976 wrote to memory of 3548 2976 Odljjo32.exe Ooangh32.exe PID 3548 wrote to memory of 4308 3548 Ooangh32.exe Pijcpmhc.exe PID 3548 wrote to memory of 4308 3548 Ooangh32.exe Pijcpmhc.exe PID 3548 wrote to memory of 4308 3548 Ooangh32.exe Pijcpmhc.exe PID 4308 wrote to memory of 2692 4308 Pijcpmhc.exe Pbbgicnd.exe PID 4308 wrote to memory of 2692 4308 Pijcpmhc.exe Pbbgicnd.exe PID 4308 wrote to memory of 2692 4308 Pijcpmhc.exe Pbbgicnd.exe PID 2692 wrote to memory of 4032 2692 Pbbgicnd.exe Pmhkflnj.exe PID 2692 wrote to memory of 4032 2692 Pbbgicnd.exe Pmhkflnj.exe PID 2692 wrote to memory of 4032 2692 Pbbgicnd.exe Pmhkflnj.exe PID 4032 wrote to memory of 2440 4032 Pmhkflnj.exe Pcbdcf32.exe PID 4032 wrote to memory of 2440 4032 Pmhkflnj.exe Pcbdcf32.exe PID 4032 wrote to memory of 2440 4032 Pmhkflnj.exe Pcbdcf32.exe PID 2440 wrote to memory of 892 2440 Pcbdcf32.exe Pfppoa32.exe PID 2440 wrote to memory of 892 2440 Pcbdcf32.exe Pfppoa32.exe PID 2440 wrote to memory of 892 2440 Pcbdcf32.exe Pfppoa32.exe PID 892 wrote to memory of 4576 892 Pfppoa32.exe Pfbmdabh.exe PID 892 wrote to memory of 4576 892 Pfppoa32.exe Pfbmdabh.exe PID 892 wrote to memory of 4576 892 Pfppoa32.exe Pfbmdabh.exe PID 4576 wrote to memory of 2952 4576 Pfbmdabh.exe Pokanf32.exe PID 4576 wrote to memory of 2952 4576 Pfbmdabh.exe Pokanf32.exe PID 4576 wrote to memory of 2952 4576 Pfbmdabh.exe Pokanf32.exe PID 2952 wrote to memory of 4368 2952 Pokanf32.exe Piceflpi.exe PID 2952 wrote to memory of 4368 2952 Pokanf32.exe Piceflpi.exe PID 2952 wrote to memory of 4368 2952 Pokanf32.exe Piceflpi.exe PID 4368 wrote to memory of 2664 4368 Piceflpi.exe Pomncfge.exe PID 4368 wrote to memory of 2664 4368 Piceflpi.exe Pomncfge.exe PID 4368 wrote to memory of 2664 4368 Piceflpi.exe Pomncfge.exe PID 2664 wrote to memory of 1948 2664 Pomncfge.exe Qfgfpp32.exe PID 2664 wrote to memory of 1948 2664 Pomncfge.exe Qfgfpp32.exe PID 2664 wrote to memory of 1948 2664 Pomncfge.exe Qfgfpp32.exe PID 1948 wrote to memory of 3424 1948 Qfgfpp32.exe Qejfkmem.exe PID 1948 wrote to memory of 3424 1948 Qfgfpp32.exe Qejfkmem.exe PID 1948 wrote to memory of 3424 1948 Qfgfpp32.exe Qejfkmem.exe PID 3424 wrote to memory of 2856 3424 Qejfkmem.exe Qkdohg32.exe PID 3424 wrote to memory of 2856 3424 Qejfkmem.exe Qkdohg32.exe PID 3424 wrote to memory of 2856 3424 Qejfkmem.exe Qkdohg32.exe PID 2856 wrote to memory of 2548 2856 Qkdohg32.exe Qfjcep32.exe PID 2856 wrote to memory of 2548 2856 Qkdohg32.exe Qfjcep32.exe PID 2856 wrote to memory of 2548 2856 Qkdohg32.exe Qfjcep32.exe PID 2548 wrote to memory of 3960 2548 Qfjcep32.exe Qihoak32.exe PID 2548 wrote to memory of 3960 2548 Qfjcep32.exe Qihoak32.exe PID 2548 wrote to memory of 3960 2548 Qfjcep32.exe Qihoak32.exe PID 3960 wrote to memory of 3124 3960 Qihoak32.exe Aflpkpjm.exe PID 3960 wrote to memory of 3124 3960 Qihoak32.exe Aflpkpjm.exe PID 3960 wrote to memory of 3124 3960 Qihoak32.exe Aflpkpjm.exe PID 3124 wrote to memory of 2448 3124 Aflpkpjm.exe Aealll32.exe PID 3124 wrote to memory of 2448 3124 Aflpkpjm.exe Aealll32.exe PID 3124 wrote to memory of 2448 3124 Aflpkpjm.exe Aealll32.exe PID 2448 wrote to memory of 4244 2448 Aealll32.exe Afqifo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Pfppoa32.exeC:\Windows\system32\Pfppoa32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Aflpkpjm.exeC:\Windows\system32\Aflpkpjm.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe25⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe26⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe27⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe28⤵PID:4548
-
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe30⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe31⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe32⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe33⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe35⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe37⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Cdlhgpag.exeC:\Windows\system32\Cdlhgpag.exe38⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe40⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:352 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe48⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe50⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe51⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe52⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe54⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe55⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe56⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe57⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Eincadmf.exeC:\Windows\system32\Eincadmf.exe58⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe59⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe61⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe62⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe64⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe66⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe67⤵
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe68⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe70⤵PID:5136
-
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe71⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Ffpcbchm.exeC:\Windows\system32\Ffpcbchm.exe72⤵PID:5216
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe73⤵PID:5256
-
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe74⤵
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe75⤵PID:5336
-
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe76⤵
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe77⤵PID:5416
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe78⤵PID:5488
-
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe79⤵PID:5532
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe80⤵PID:5572
-
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe81⤵
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe82⤵PID:5660
-
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe85⤵PID:5796
-
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe86⤵
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe88⤵PID:5932
-
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe90⤵PID:6020
-
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe91⤵PID:6064
-
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe92⤵PID:6108
-
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe93⤵PID:3204
-
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe94⤵PID:5208
-
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe95⤵PID:5280
-
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe96⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe97⤵PID:5496
-
C:\Windows\SysWOW64\Icefib32.exeC:\Windows\system32\Icefib32.exe98⤵PID:5516
-
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe99⤵PID:5600
-
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe100⤵PID:5668
-
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe101⤵
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe102⤵
- System Location Discovery: System Language Discovery
PID:5812 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5880 -
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe104⤵PID:5948
-
C:\Windows\SysWOW64\Jnocakfb.exeC:\Windows\system32\Jnocakfb.exe105⤵PID:6028
-
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe106⤵PID:6092
-
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe107⤵PID:5148
-
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe108⤵PID:5252
-
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe109⤵
- Drops file in System32 directory
PID:5400 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe110⤵PID:5648
-
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe111⤵PID:5744
-
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe113⤵PID:5960
-
C:\Windows\SysWOW64\Kfanflne.exeC:\Windows\system32\Kfanflne.exe114⤵PID:6076
-
C:\Windows\SysWOW64\Knifging.exeC:\Windows\system32\Knifging.exe115⤵PID:5212
-
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe116⤵PID:5408
-
C:\Windows\SysWOW64\Kaioidkh.exeC:\Windows\system32\Kaioidkh.exe117⤵PID:5700
-
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe118⤵PID:5876
-
C:\Windows\SysWOW64\Knmpbi32.exeC:\Windows\system32\Knmpbi32.exe119⤵PID:6048
-
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe120⤵
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5628 -
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe122⤵PID:5840
-
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe123⤵PID:5144
-
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe124⤵PID:5916
-
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe125⤵PID:5248
-
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe126⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe127⤵PID:6116
-
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe128⤵PID:5852
-
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe129⤵PID:6184
-
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe130⤵PID:6228
-
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe131⤵PID:6272
-
C:\Windows\SysWOW64\Lmlpjdgo.exeC:\Windows\system32\Lmlpjdgo.exe132⤵PID:6316
-
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe133⤵
- Drops file in System32 directory
PID:6360 -
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe134⤵
- Drops file in System32 directory
PID:6404 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6448 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe136⤵PID:6492
-
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe137⤵PID:6536
-
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6580 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6624 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe140⤵PID:6664
-
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe141⤵PID:6708
-
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe142⤵PID:6752
-
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe143⤵
- System Location Discovery: System Language Discovery
PID:6792 -
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe144⤵PID:6836
-
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe145⤵
- System Location Discovery: System Language Discovery
PID:6880 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe146⤵PID:6924
-
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe147⤵PID:6968
-
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:7008 -
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe149⤵PID:7056
-
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7100 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe151⤵PID:7148
-
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6180 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe153⤵PID:6260
-
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe154⤵PID:6324
-
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe155⤵
- System Location Discovery: System Language Discovery
PID:6392 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe156⤵PID:6468
-
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe157⤵
- Drops file in System32 directory
PID:6528 -
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe158⤵PID:6600
-
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe159⤵PID:6672
-
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe160⤵PID:6728
-
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe161⤵PID:6804
-
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6876 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe163⤵PID:6952
-
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe164⤵PID:7020
-
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe165⤵PID:7084
-
C:\Windows\SysWOW64\Oklifdmi.exeC:\Windows\system32\Oklifdmi.exe166⤵PID:7160
-
C:\Windows\SysWOW64\Oeamcmmo.exeC:\Windows\system32\Oeamcmmo.exe167⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6248 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe168⤵PID:6344
-
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe169⤵
- Drops file in System32 directory
PID:6456 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe170⤵PID:6588
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe171⤵
- System Location Discovery: System Language Discovery
PID:6696 -
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe172⤵PID:6856
-
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe173⤵
- System Location Discovery: System Language Discovery
PID:7048 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe174⤵PID:6168
-
C:\Windows\SysWOW64\Odifjipd.exeC:\Windows\system32\Odifjipd.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6444 -
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6692 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe177⤵
- Modifies registry class
PID:6996 -
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe178⤵PID:6304
-
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe179⤵PID:6572
-
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe180⤵PID:7032
-
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe181⤵PID:6700
-
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe182⤵PID:7216
-
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe183⤵PID:7264
-
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe184⤵PID:7316
-
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7376 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe186⤵
- Drops file in System32 directory
- Modifies registry class
PID:7428 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe187⤵
- Drops file in System32 directory
PID:7468 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe188⤵PID:7516
-
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe189⤵PID:7564
-
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe190⤵
- System Location Discovery: System Language Discovery
PID:7608 -
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe191⤵PID:7660
-
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7712 -
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe193⤵
- System Location Discovery: System Language Discovery
PID:7764 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe194⤵PID:7808
-
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe195⤵PID:7852
-
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe196⤵PID:7900
-
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe197⤵
- Drops file in System32 directory
PID:7944 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe198⤵PID:7988
-
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe199⤵PID:8032
-
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe200⤵
- System Location Discovery: System Language Discovery
PID:8072 -
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe201⤵PID:8120
-
C:\Windows\SysWOW64\Afpbkicl.exeC:\Windows\system32\Afpbkicl.exe202⤵
- Drops file in System32 directory
PID:8172 -
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe203⤵
- Drops file in System32 directory
PID:6688 -
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe204⤵
- Drops file in System32 directory
- Modifies registry class
PID:7212 -
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe205⤵PID:7260
-
C:\Windows\SysWOW64\Aokcjngj.exeC:\Windows\system32\Aokcjngj.exe206⤵
- Modifies registry class
PID:7332 -
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe207⤵PID:7388
-
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7456 -
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe209⤵PID:7540
-
C:\Windows\SysWOW64\Bfghlhmd.exeC:\Windows\system32\Bfghlhmd.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7620 -
C:\Windows\SysWOW64\Bghddp32.exeC:\Windows\system32\Bghddp32.exe211⤵
- Modifies registry class
PID:7652 -
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe212⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:7724 -
C:\Windows\SysWOW64\Bihancje.exeC:\Windows\system32\Bihancje.exe213⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe214⤵PID:7860
-
C:\Windows\SysWOW64\Bndjfjhl.exeC:\Windows\system32\Bndjfjhl.exe215⤵PID:7932
-
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe216⤵PID:1884
-
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe217⤵PID:4448
-
C:\Windows\SysWOW64\Bbbblhnc.exeC:\Windows\system32\Bbbblhnc.exe218⤵PID:8104
-
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe219⤵
- Modifies registry class
PID:8164 -
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe220⤵PID:7068
-
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe221⤵
- System Location Discovery: System Language Discovery
PID:7280 -
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7372 -
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe223⤵PID:7484
-
C:\Windows\SysWOW64\Cfbhhfbg.exeC:\Windows\system32\Cfbhhfbg.exe224⤵PID:2796
-
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe225⤵
- System Location Discovery: System Language Discovery
PID:7648 -
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe226⤵
- Modifies registry class
PID:7740 -
C:\Windows\SysWOW64\Cehdib32.exeC:\Windows\system32\Cehdib32.exe227⤵PID:7848
-
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe228⤵PID:7952
-
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8040 -
C:\Windows\SysWOW64\Chinkndp.exeC:\Windows\system32\Chinkndp.exe230⤵PID:8128
-
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe231⤵PID:6504
-
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7256 -
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe233⤵PID:7440
-
C:\Windows\SysWOW64\Chkjpm32.exeC:\Windows\system32\Chkjpm32.exe234⤵PID:7560
-
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe235⤵
- Drops file in System32 directory
PID:7668 -
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe236⤵PID:7800
-
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe237⤵PID:7968
-
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe238⤵PID:8092
-
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe239⤵
- Modifies registry class
PID:4620 -
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe240⤵PID:2808
-
C:\Windows\SysWOW64\Dpdogj32.exeC:\Windows\system32\Dpdogj32.exe241⤵
- System Location Discovery: System Language Discovery
PID:7604 -
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe242⤵
- System Location Discovery: System Language Discovery
PID:7756