Analysis
-
max time kernel
91s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:20
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
96KB
-
MD5
b2a14fd40fc5e5979601bc2d82094a90
-
SHA1
ae8e286e575d3e55faa22d98c87fa12a5acc6a7e
-
SHA256
f1b53d0e34e3b4479d242ead89eb157d6fb5efed82ff7b7558316d3cb96aed41
-
SHA512
1bb8552155433eda667673033821cf61f940bfc1bf699204341780a25c8ace5297328d784505b21468b92b8559058a57eede243a78297d1745c995c357a59e2a
-
SSDEEP
1536:Aoo9b9u6R2RI4OkIzYHiCpQXp4RgMxyed5JHkqtjWT8Lorasmh/BOmOoCMy0QiLP:Aos9H9CpyyRvnyqyrkh5OmzCMyELiAH9
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ccgnelll.exeHofjem32.exeMkfojakp.exeOdnobj32.exeClclhmin.exeIcbkhnan.exeBiccfalm.exeEdeclabl.exeEgihcl32.exeJqnhmgmk.exeFbipdi32.exeGlijnmdj.exeJbedkhie.exeKodghqop.exeMhkhgd32.exeHgoadp32.exeJkopndcb.exeKjhfjpdd.exeQcjoci32.exeGajlac32.exeJfhmehji.exeKbcddlnd.exeNpnclf32.exeNpppaejj.exeCaokmd32.exeEgpena32.exeJcfgoadd.exePildgl32.exeDjlbkcfn.exeNmogpj32.exeEikimeff.exeMllhne32.exePalbgn32.exeFelekcop.exeHfnkji32.exeFhglop32.exeLiblfl32.exeNpechhgd.exeAmjiln32.exeFabmmejd.exeJndflk32.exeDkmncl32.exeKqokgd32.exeEepmlf32.exeIpqicdim.exeGecklbih.exeNklaipbj.exeOfgbkacb.exeQghgigkn.exeCodeih32.exeGihnkejd.exeJldbgb32.exeJgbmco32.exeLbkaoalg.exeApkbnibq.exeEkbhnkhf.exeEhfhgogp.exeNcnlnaim.exeGbhcpmkm.exeHdpehd32.exeOgohdeam.exeBeldao32.exeFjnkpf32.exeNgencpel.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccgnelll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfojakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odnobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clclhmin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbkhnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biccfalm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeclabl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egihcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqnhmgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbipdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glijnmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbedkhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kodghqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhkhgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgoadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjhfjpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcjoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajlac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfhmehji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npnclf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npppaejj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caokmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egpena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pildgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djlbkcfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmogpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mllhne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Felekcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfnkji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhglop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liblfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npechhgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjiln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabmmejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndflk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmncl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqokgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipqicdim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecklbih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklaipbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qghgigkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gihnkejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jldbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgbmco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkaoalg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekbhnkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfhgogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncnlnaim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhcpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogohdeam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjnkpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngencpel.exe -
Executes dropped EXE 64 IoCs
Processes:
Adgein32.exeAmoibc32.exeApnfno32.exeAfgnkilf.exeAmafgc32.exeBfjkphjd.exeBlgcio32.exeBklpjlmc.exeBafhff32.exeBknmok32.exeBedamd32.exeBnofaf32.exeBefnbd32.exeCdkkcp32.exeCaokmd32.exeCglcek32.exeCnflae32.exeCccdjl32.exeCgnpjkhj.exeCgqmpkfg.exeCjoilfek.exeColadm32.exeCcgnelll.exeDlpbna32.exeDonojm32.exeDlboca32.exeDnckki32.exeDglpdomh.exeDnfhqi32.exeDjmiejji.exeDbdagg32.exeDmmbge32.exeEddjhb32.exeEfffpjmk.exeEnmnahnm.exeEpnkip32.exeEcjgio32.exeEfhcej32.exeEifobe32.exeEqngcc32.exeEclcon32.exeEfjpkj32.exeEjfllhao.exeEkghcq32.exeEcnpdnho.exeEfmlqigc.exeEepmlf32.exeEikimeff.exeElieipej.exeEfoifiep.exeEebibf32.exeEgpena32.exeFpgnoo32.exeFbfjkj32.exeFedfgejh.exeFhbbcail.exeFjaoplho.exeFbhfajia.exeFakglf32.exeFcichb32.exeFheoiqgi.exeFnogfk32.exeFamcbf32.exeFdlpnamm.exepid process 2768 Adgein32.exe 2660 Amoibc32.exe 2852 Apnfno32.exe 2824 Afgnkilf.exe 3004 Amafgc32.exe 1496 Bfjkphjd.exe 2960 Blgcio32.exe 1984 Bklpjlmc.exe 2904 Bafhff32.exe 2732 Bknmok32.exe 1888 Bedamd32.exe 1012 Bnofaf32.exe 2252 Befnbd32.exe 2320 Cdkkcp32.exe 1136 Caokmd32.exe 980 Cglcek32.exe 816 Cnflae32.exe 2608 Cccdjl32.exe 1980 Cgnpjkhj.exe 2264 Cgqmpkfg.exe 2080 Cjoilfek.exe 2276 Coladm32.exe 2652 Ccgnelll.exe 2804 Dlpbna32.exe 2740 Donojm32.exe 2160 Dlboca32.exe 2600 Dnckki32.exe 2052 Dglpdomh.exe 2512 Dnfhqi32.exe 2192 Djmiejji.exe 2212 Dbdagg32.exe 2784 Dmmbge32.exe 2724 Eddjhb32.exe 2568 Efffpjmk.exe 1044 Enmnahnm.exe 2108 Epnkip32.exe 2376 Ecjgio32.exe 2200 Efhcej32.exe 2396 Eifobe32.exe 1968 Eqngcc32.exe 1940 Eclcon32.exe 2480 Efjpkj32.exe 304 Ejfllhao.exe 1176 Ekghcq32.exe 2756 Ecnpdnho.exe 2816 Efmlqigc.exe 2828 Eepmlf32.exe 2576 Eikimeff.exe 2908 Elieipej.exe 2184 Efoifiep.exe 2244 Eebibf32.exe 468 Egpena32.exe 2728 Fpgnoo32.exe 2844 Fbfjkj32.exe 1472 Fedfgejh.exe 1884 Fhbbcail.exe 1768 Fjaoplho.exe 1160 Fbhfajia.exe 2088 Fakglf32.exe 1236 Fcichb32.exe 872 Fheoiqgi.exe 2312 Fnogfk32.exe 2440 Famcbf32.exe 988 Fdlpnamm.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeAdgein32.exeAmoibc32.exeApnfno32.exeAfgnkilf.exeAmafgc32.exeBfjkphjd.exeBlgcio32.exeBklpjlmc.exeBafhff32.exeBknmok32.exeBedamd32.exeBnofaf32.exeBefnbd32.exeCdkkcp32.exeCaokmd32.exeCglcek32.exeCnflae32.exeCccdjl32.exeCgnpjkhj.exeCgqmpkfg.exeCjoilfek.exeColadm32.exeCcgnelll.exeDlpbna32.exeDonojm32.exeDlboca32.exeDnckki32.exeDglpdomh.exeDnfhqi32.exeDjmiejji.exeDbdagg32.exepid process 2216 Backdoor.Win32.Padodor.SK.exe 2216 Backdoor.Win32.Padodor.SK.exe 2768 Adgein32.exe 2768 Adgein32.exe 2660 Amoibc32.exe 2660 Amoibc32.exe 2852 Apnfno32.exe 2852 Apnfno32.exe 2824 Afgnkilf.exe 2824 Afgnkilf.exe 3004 Amafgc32.exe 3004 Amafgc32.exe 1496 Bfjkphjd.exe 1496 Bfjkphjd.exe 2960 Blgcio32.exe 2960 Blgcio32.exe 1984 Bklpjlmc.exe 1984 Bklpjlmc.exe 2904 Bafhff32.exe 2904 Bafhff32.exe 2732 Bknmok32.exe 2732 Bknmok32.exe 1888 Bedamd32.exe 1888 Bedamd32.exe 1012 Bnofaf32.exe 1012 Bnofaf32.exe 2252 Befnbd32.exe 2252 Befnbd32.exe 2320 Cdkkcp32.exe 2320 Cdkkcp32.exe 1136 Caokmd32.exe 1136 Caokmd32.exe 980 Cglcek32.exe 980 Cglcek32.exe 816 Cnflae32.exe 816 Cnflae32.exe 2608 Cccdjl32.exe 2608 Cccdjl32.exe 1980 Cgnpjkhj.exe 1980 Cgnpjkhj.exe 2264 Cgqmpkfg.exe 2264 Cgqmpkfg.exe 2080 Cjoilfek.exe 2080 Cjoilfek.exe 2276 Coladm32.exe 2276 Coladm32.exe 2652 Ccgnelll.exe 2652 Ccgnelll.exe 2804 Dlpbna32.exe 2804 Dlpbna32.exe 2740 Donojm32.exe 2740 Donojm32.exe 2160 Dlboca32.exe 2160 Dlboca32.exe 2600 Dnckki32.exe 2600 Dnckki32.exe 2052 Dglpdomh.exe 2052 Dglpdomh.exe 2512 Dnfhqi32.exe 2512 Dnfhqi32.exe 2192 Djmiejji.exe 2192 Djmiejji.exe 2212 Dbdagg32.exe 2212 Dbdagg32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gaebfdba.exeGecklbih.exeElieipej.exeHofjem32.exeMgfiocfl.exeKpgdnp32.exeIilceh32.exeNpnclf32.exeBlgcio32.exeGedbfimc.exeGbbbjg32.exeMcacochk.exePioamlkk.exeKbcddlnd.exePqgilnji.exeBgdfjfmi.exeFphgbn32.exeKbpnkm32.exeCkpoih32.exeMcbmmbhb.exeMlbkmdah.exeBknmok32.exeJqbbhg32.exeLbmnea32.exeFqffgapf.exeIcbkhnan.exeNeohqicc.exeCaokmd32.exeMghfdcdi.exeMpcgbhig.exeBodhjdcc.exeDgfpni32.exeEnngdgim.exeBfmqigba.exeGeilah32.exeIgcgnbim.exeJcleiclo.exeMmdkfmjc.exeAebakp32.exeFcichb32.exeLcedne32.exeHolldk32.exeJobocn32.exeJgbmco32.exeIhlnhffh.exeKnaeeo32.exeOdqlhjbi.exeEgmbnkie.exeGplcia32.exeHcjldp32.exeChmibmlo.exeDnqhkcdo.exeEnenef32.exeJjqiok32.exeMiaaki32.exeOgjhnp32.exeFjaoplho.exeIjdppm32.exeGhddnnfi.exeMpngmb32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Gddobpbe.exe Gaebfdba.exe File opened for modification C:\Windows\SysWOW64\Ghbhhnhk.exe Gecklbih.exe File created C:\Windows\SysWOW64\Fakmpf32.dll Elieipej.exe File created C:\Windows\SysWOW64\Hadfah32.exe Hofjem32.exe File created C:\Windows\SysWOW64\Momapqgn.exe Mgfiocfl.exe File created C:\Windows\SysWOW64\Ogoicfml.dll Kpgdnp32.exe File created C:\Windows\SysWOW64\Inhoegqc.exe Iilceh32.exe File created C:\Windows\SysWOW64\Hqnpad32.dll Npnclf32.exe File created C:\Windows\SysWOW64\Fnicaj32.dll Blgcio32.exe File created C:\Windows\SysWOW64\Gipngg32.exe Gedbfimc.exe File opened for modification C:\Windows\SysWOW64\Gaebfdba.exe Gbbbjg32.exe File opened for modification C:\Windows\SysWOW64\Nepokogo.exe Mcacochk.exe File opened for modification C:\Windows\SysWOW64\Pkmmigjo.exe Pioamlkk.exe File created C:\Windows\SysWOW64\Kfopdk32.exe Kbcddlnd.exe File created C:\Windows\SysWOW64\Pioamlkk.exe Pqgilnji.exe File opened for modification C:\Windows\SysWOW64\Biccfalm.exe Bgdfjfmi.exe File opened for modification C:\Windows\SysWOW64\Fgpock32.exe Fphgbn32.exe File created C:\Windows\SysWOW64\Kenjgi32.exe Kbpnkm32.exe File created C:\Windows\SysWOW64\Okdamdah.dll Ckpoih32.exe File created C:\Windows\SysWOW64\Ffmcdhob.dll Mcbmmbhb.exe File opened for modification C:\Windows\SysWOW64\Mpngmb32.exe Mlbkmdah.exe File opened for modification C:\Windows\SysWOW64\Bedamd32.exe Bknmok32.exe File created C:\Windows\SysWOW64\Ennlbjle.dll Jqbbhg32.exe File created C:\Windows\SysWOW64\Mknlhcol.dll Lbmnea32.exe File created C:\Windows\SysWOW64\Dagocg32.dll Fqffgapf.exe File created C:\Windows\SysWOW64\Igngim32.exe Icbkhnan.exe File opened for modification C:\Windows\SysWOW64\Nhnemdbf.exe Neohqicc.exe File opened for modification C:\Windows\SysWOW64\Cglcek32.exe Caokmd32.exe File created C:\Windows\SysWOW64\Dpmodqio.dll Mghfdcdi.exe File created C:\Windows\SysWOW64\Cnkbeloa.dll Mpcgbhig.exe File opened for modification C:\Windows\SysWOW64\Bacefpbg.exe Bodhjdcc.exe File created C:\Windows\SysWOW64\Djeljd32.exe Dgfpni32.exe File created C:\Windows\SysWOW64\Ebicee32.exe Enngdgim.exe File created C:\Windows\SysWOW64\Acdlnnal.dll Bfmqigba.exe File created C:\Windows\SysWOW64\Ghghnc32.exe Geilah32.exe File created C:\Windows\SysWOW64\Cenancce.dll Igcgnbim.exe File created C:\Windows\SysWOW64\Jghqia32.exe Jcleiclo.exe File created C:\Windows\SysWOW64\Mpcgbhig.exe Mmdkfmjc.exe File created C:\Windows\SysWOW64\Amjiln32.exe Aebakp32.exe File opened for modification C:\Windows\SysWOW64\Fheoiqgi.exe Fcichb32.exe File created C:\Windows\SysWOW64\Bkghniol.dll Lcedne32.exe File created C:\Windows\SysWOW64\Nhnemdbf.exe Neohqicc.exe File created C:\Windows\SysWOW64\Hajhpgag.exe Holldk32.exe File created C:\Windows\SysWOW64\Jbakpi32.exe Jobocn32.exe File created C:\Windows\SysWOW64\Fimoek32.dll Jgbmco32.exe File opened for modification C:\Windows\SysWOW64\Ioefdpne.exe Ihlnhffh.exe File opened for modification C:\Windows\SysWOW64\Kapaaj32.exe Knaeeo32.exe File opened for modification C:\Windows\SysWOW64\Ogohdeam.exe Odqlhjbi.exe File created C:\Windows\SysWOW64\Pkmmigjo.exe Pioamlkk.exe File created C:\Windows\SysWOW64\Fljkodkb.dll Egmbnkie.exe File created C:\Windows\SysWOW64\Kaokbi32.dll Gplcia32.exe File created C:\Windows\SysWOW64\Hqaiha32.dll Hcjldp32.exe File created C:\Windows\SysWOW64\Jcandb32.exe Jqbbhg32.exe File created C:\Windows\SysWOW64\Aceakpbh.dll Chmibmlo.exe File opened for modification C:\Windows\SysWOW64\Dpodgocb.exe Dnqhkcdo.exe File created C:\Windows\SysWOW64\Fdhiehfo.dll Enenef32.exe File created C:\Windows\SysWOW64\Mbagfo32.dll Jjqiok32.exe File created C:\Windows\SysWOW64\Mmmnkglp.exe Miaaki32.exe File opened for modification C:\Windows\SysWOW64\Oihdjk32.exe Ogjhnp32.exe File opened for modification C:\Windows\SysWOW64\Fbhfajia.exe Fjaoplho.exe File opened for modification C:\Windows\SysWOW64\Ibkhak32.exe Ijdppm32.exe File created C:\Windows\SysWOW64\Jdlhma32.dll Ghddnnfi.exe File created C:\Windows\SysWOW64\Mblcin32.exe Mpngmb32.exe File created C:\Windows\SysWOW64\Kanafj32.dll Neohqicc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 7000 6964 WerFault.exe Opblgehg.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ijdppm32.exeLpanne32.exeMioeeifi.exeLlhocfnb.exeDpaqmnap.exeGdcfoq32.exeCkmbdh32.exeMldgbcoe.exeHkogpn32.exeDgildi32.exeHkejnl32.exeKqkalenn.exeNafiej32.exeKffqqm32.exeLcedne32.exeFcilnl32.exeFelekcop.exeJfhmehji.exeDlpbna32.exeBmjekahk.exeEhfhgogp.exeFqffgapf.exeLflonn32.exeCnflae32.exeDlboca32.exeDjmiejji.exeJfagemej.exeOqepgk32.exeOjdjqp32.exeKcngcp32.exeLfhiepbn.exeOmnmal32.exeJoekimld.exeJndflk32.exeJcckibfg.exeLkmldbcj.exeMhcicf32.exeOqjibkek.exeDjlbkcfn.exeInjlkf32.exeLnqkjl32.exeFamcbf32.exeFmddgg32.exeHipkfkgh.exeGlkgcmbg.exeNpiiafpa.exeFbhfajia.exeEbnmpemq.exeHkbmil32.exeIfpnaj32.exeMmdkfmjc.exeLekcffem.exeNmacej32.exeDnfhqi32.exeDkmncl32.exeIilceh32.exeNklaipbj.exeAfgnkilf.exeGoocenaa.exePchbmigj.exeAejglo32.exeMhkhgd32.exeKnaeeo32.exeDpmgao32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpanne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mioeeifi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhocfnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpaqmnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcfoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldgbcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkogpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgildi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkejnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqkalenn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffqqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcedne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcilnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felekcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhmehji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjekahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfhgogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqffgapf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflonn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnflae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmiejji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfagemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqepgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcngcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhiepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joekimld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndflk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcckibfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkmldbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqjibkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlbkcfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injlkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqkjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipkfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkgcmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiafpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhfajia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnmpemq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdkfmjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekcffem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmacej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfhqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmncl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilceh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklaipbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgnkilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goocenaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchbmigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejglo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhkhgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmgao32.exe -
Modifies registry class 64 IoCs
Processes:
Lflonn32.exeQaqlbmbn.exeGfgdij32.exeKbeqjl32.exeEcjgio32.exeEkbhnkhf.exeKcimhpma.exeOkhgod32.exeMblcin32.exeAmoibc32.exeEfjpkj32.exeJgjmoace.exeMonjcp32.exeHkogpn32.exeJcckibfg.exeGdcfoq32.exeHehhqk32.exeIciaim32.exeLjcbcngi.exeBnofaf32.exeEnenef32.exeFmodaadg.exeKjebjjck.exeHocmpm32.exeJndflk32.exeJddqgdii.exeGbcien32.exeOapcfo32.exeIeeqpi32.exeMfqiingf.exeMbjfcnkg.exeHnppaill.exeKiemmh32.exeCodeih32.exeCgdciiod.exeDjeljd32.exeHechkfkc.exeKgdiho32.exeOmqjgl32.exeAeenapck.exeCelpqbon.exeIgcgnbim.exeLkmldbcj.exeLlbnnq32.exeColadm32.exeEgpena32.exeGeilah32.exeEifobe32.exeGihnkejd.exeGhddnnfi.exeGlfjgaih.exeAdgein32.exeDpmgao32.exeDgildi32.exeFfghjg32.exeHdhdlbpk.exeJjfmem32.exeJbhhkn32.exeNanfqo32.exeOhengmcf.exeImcfjg32.exeKflcok32.exeLckflc32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lflonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemmee32.dll" Qaqlbmbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfgdij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkebebd.dll" Kbeqjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flefhg32.dll" Ekbhnkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebiiiec.dll" Kcimhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjeji32.dll" Okhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mblcin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffemqioj.dll" Amoibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemanlnj.dll" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Monjcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amoibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkogpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpqlnhfp.dll" Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnjbhgo.dll" Gdcfoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hehhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacmfp32.dll" Iciaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbieg32.dll" Bnofaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhiehfo.dll" Enenef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mieiglio.dll" Fmodaadg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcehpcal.dll" Kjebjjck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhnbelc.dll" Hocmpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okfampdd.dll" Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjeman32.dll" Jddqgdii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbkgheh.dll" Gbcien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngjcj32.dll" Oapcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieeqpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfqiingf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbjfcnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aflhek32.dll" Hnppaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcijnhod.dll" Kiemmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Codeih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgdciiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hechkfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgdiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omqjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igcgnbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbnnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egpena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geilah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gihnkejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghddnnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glfjgaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbendkpn.dll" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpmgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgildi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffghjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdhdlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjfmem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nanfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnpmio.dll" Ohengmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imcfjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kflcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlqbf32.dll" Lckflc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeAdgein32.exeAmoibc32.exeApnfno32.exeAfgnkilf.exeAmafgc32.exeBfjkphjd.exeBlgcio32.exeBklpjlmc.exeBafhff32.exeBknmok32.exeBedamd32.exeBnofaf32.exeBefnbd32.exeCdkkcp32.exeCaokmd32.exedescription pid process target process PID 2216 wrote to memory of 2768 2216 Backdoor.Win32.Padodor.SK.exe Adgein32.exe PID 2216 wrote to memory of 2768 2216 Backdoor.Win32.Padodor.SK.exe Adgein32.exe PID 2216 wrote to memory of 2768 2216 Backdoor.Win32.Padodor.SK.exe Adgein32.exe PID 2216 wrote to memory of 2768 2216 Backdoor.Win32.Padodor.SK.exe Adgein32.exe PID 2768 wrote to memory of 2660 2768 Adgein32.exe Amoibc32.exe PID 2768 wrote to memory of 2660 2768 Adgein32.exe Amoibc32.exe PID 2768 wrote to memory of 2660 2768 Adgein32.exe Amoibc32.exe PID 2768 wrote to memory of 2660 2768 Adgein32.exe Amoibc32.exe PID 2660 wrote to memory of 2852 2660 Amoibc32.exe Apnfno32.exe PID 2660 wrote to memory of 2852 2660 Amoibc32.exe Apnfno32.exe PID 2660 wrote to memory of 2852 2660 Amoibc32.exe Apnfno32.exe PID 2660 wrote to memory of 2852 2660 Amoibc32.exe Apnfno32.exe PID 2852 wrote to memory of 2824 2852 Apnfno32.exe Afgnkilf.exe PID 2852 wrote to memory of 2824 2852 Apnfno32.exe Afgnkilf.exe PID 2852 wrote to memory of 2824 2852 Apnfno32.exe Afgnkilf.exe PID 2852 wrote to memory of 2824 2852 Apnfno32.exe Afgnkilf.exe PID 2824 wrote to memory of 3004 2824 Afgnkilf.exe Amafgc32.exe PID 2824 wrote to memory of 3004 2824 Afgnkilf.exe Amafgc32.exe PID 2824 wrote to memory of 3004 2824 Afgnkilf.exe Amafgc32.exe PID 2824 wrote to memory of 3004 2824 Afgnkilf.exe Amafgc32.exe PID 3004 wrote to memory of 1496 3004 Amafgc32.exe Bfjkphjd.exe PID 3004 wrote to memory of 1496 3004 Amafgc32.exe Bfjkphjd.exe PID 3004 wrote to memory of 1496 3004 Amafgc32.exe Bfjkphjd.exe PID 3004 wrote to memory of 1496 3004 Amafgc32.exe Bfjkphjd.exe PID 1496 wrote to memory of 2960 1496 Bfjkphjd.exe Blgcio32.exe PID 1496 wrote to memory of 2960 1496 Bfjkphjd.exe Blgcio32.exe PID 1496 wrote to memory of 2960 1496 Bfjkphjd.exe Blgcio32.exe PID 1496 wrote to memory of 2960 1496 Bfjkphjd.exe Blgcio32.exe PID 2960 wrote to memory of 1984 2960 Blgcio32.exe Bklpjlmc.exe PID 2960 wrote to memory of 1984 2960 Blgcio32.exe Bklpjlmc.exe PID 2960 wrote to memory of 1984 2960 Blgcio32.exe Bklpjlmc.exe PID 2960 wrote to memory of 1984 2960 Blgcio32.exe Bklpjlmc.exe PID 1984 wrote to memory of 2904 1984 Bklpjlmc.exe Bafhff32.exe PID 1984 wrote to memory of 2904 1984 Bklpjlmc.exe Bafhff32.exe PID 1984 wrote to memory of 2904 1984 Bklpjlmc.exe Bafhff32.exe PID 1984 wrote to memory of 2904 1984 Bklpjlmc.exe Bafhff32.exe PID 2904 wrote to memory of 2732 2904 Bafhff32.exe Bknmok32.exe PID 2904 wrote to memory of 2732 2904 Bafhff32.exe Bknmok32.exe PID 2904 wrote to memory of 2732 2904 Bafhff32.exe Bknmok32.exe PID 2904 wrote to memory of 2732 2904 Bafhff32.exe Bknmok32.exe PID 2732 wrote to memory of 1888 2732 Bknmok32.exe Bedamd32.exe PID 2732 wrote to memory of 1888 2732 Bknmok32.exe Bedamd32.exe PID 2732 wrote to memory of 1888 2732 Bknmok32.exe Bedamd32.exe PID 2732 wrote to memory of 1888 2732 Bknmok32.exe Bedamd32.exe PID 1888 wrote to memory of 1012 1888 Bedamd32.exe Bnofaf32.exe PID 1888 wrote to memory of 1012 1888 Bedamd32.exe Bnofaf32.exe PID 1888 wrote to memory of 1012 1888 Bedamd32.exe Bnofaf32.exe PID 1888 wrote to memory of 1012 1888 Bedamd32.exe Bnofaf32.exe PID 1012 wrote to memory of 2252 1012 Bnofaf32.exe Befnbd32.exe PID 1012 wrote to memory of 2252 1012 Bnofaf32.exe Befnbd32.exe PID 1012 wrote to memory of 2252 1012 Bnofaf32.exe Befnbd32.exe PID 1012 wrote to memory of 2252 1012 Bnofaf32.exe Befnbd32.exe PID 2252 wrote to memory of 2320 2252 Befnbd32.exe Cdkkcp32.exe PID 2252 wrote to memory of 2320 2252 Befnbd32.exe Cdkkcp32.exe PID 2252 wrote to memory of 2320 2252 Befnbd32.exe Cdkkcp32.exe PID 2252 wrote to memory of 2320 2252 Befnbd32.exe Cdkkcp32.exe PID 2320 wrote to memory of 1136 2320 Cdkkcp32.exe Caokmd32.exe PID 2320 wrote to memory of 1136 2320 Cdkkcp32.exe Caokmd32.exe PID 2320 wrote to memory of 1136 2320 Cdkkcp32.exe Caokmd32.exe PID 2320 wrote to memory of 1136 2320 Cdkkcp32.exe Caokmd32.exe PID 1136 wrote to memory of 980 1136 Caokmd32.exe Cglcek32.exe PID 1136 wrote to memory of 980 1136 Caokmd32.exe Cglcek32.exe PID 1136 wrote to memory of 980 1136 Caokmd32.exe Cglcek32.exe PID 1136 wrote to memory of 980 1136 Caokmd32.exe Cglcek32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Adgein32.exeC:\Windows\system32\Adgein32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Amoibc32.exeC:\Windows\system32\Amoibc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Afgnkilf.exeC:\Windows\system32\Afgnkilf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Bafhff32.exeC:\Windows\system32\Bafhff32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Bknmok32.exeC:\Windows\system32\Bknmok32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:816 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe33⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe34⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe36⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe37⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe39⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe41⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe42⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Efjpkj32.exeC:\Windows\system32\Efjpkj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe44⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe45⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe46⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Efmlqigc.exeC:\Windows\system32\Efmlqigc.exe47⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe51⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe52⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe54⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe55⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe56⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe57⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe60⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe62⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe63⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe65⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe67⤵PID:1756
-
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe69⤵PID:2584
-
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe70⤵PID:3064
-
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe71⤵PID:2708
-
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe72⤵PID:1728
-
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe74⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Gimaah32.exeC:\Windows\system32\Gimaah32.exe75⤵PID:1872
-
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe76⤵PID:2028
-
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe78⤵PID:1556
-
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe79⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe80⤵PID:2120
-
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe81⤵PID:1436
-
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe83⤵PID:2156
-
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe84⤵PID:1580
-
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe85⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe86⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe88⤵PID:2516
-
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe89⤵PID:2912
-
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe90⤵PID:2204
-
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe91⤵PID:2508
-
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe92⤵PID:644
-
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe93⤵PID:2272
-
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe94⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe95⤵PID:2928
-
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe99⤵PID:2604
-
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe100⤵PID:2840
-
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe101⤵PID:1132
-
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe102⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe103⤵PID:2916
-
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe104⤵PID:1604
-
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe106⤵PID:2104
-
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe107⤵PID:808
-
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe108⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe109⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Hnppaill.exeC:\Windows\system32\Hnppaill.exe110⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe111⤵PID:1656
-
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe112⤵PID:1640
-
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe113⤵PID:2900
-
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe114⤵PID:2116
-
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe116⤵PID:2332
-
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe117⤵PID:1620
-
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe118⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe119⤵PID:2976
-
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe120⤵PID:1516
-
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe122⤵PID:2684
-
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe123⤵PID:2932
-
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe124⤵PID:2144
-
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe125⤵
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe126⤵PID:2812
-
C:\Windows\SysWOW64\Inmpklpj.exeC:\Windows\system32\Inmpklpj.exe127⤵PID:2364
-
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe128⤵PID:1568
-
C:\Windows\SysWOW64\Igeddb32.exeC:\Windows\system32\Igeddb32.exe129⤵PID:2980
-
C:\Windows\SysWOW64\Ijdppm32.exeC:\Windows\system32\Ijdppm32.exe130⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe131⤵PID:2640
-
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe133⤵
- Drops file in System32 directory
PID:476 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe134⤵PID:332
-
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe135⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe136⤵PID:1608
-
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe137⤵PID:388
-
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe138⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe139⤵PID:3040
-
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe141⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe142⤵PID:2596
-
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe143⤵PID:1376
-
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe144⤵PID:1820
-
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe145⤵PID:1192
-
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe146⤵PID:2672
-
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe147⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe148⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe149⤵PID:2888
-
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe152⤵
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Jegdgj32.exeC:\Windows\system32\Jegdgj32.exe153⤵PID:1576
-
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe154⤵PID:2096
-
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe155⤵PID:2368
-
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe156⤵PID:2256
-
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe157⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe158⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe159⤵PID:2692
-
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe160⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe161⤵PID:492
-
C:\Windows\SysWOW64\Kigibh32.exeC:\Windows\system32\Kigibh32.exe162⤵PID:2628
-
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe163⤵PID:3044
-
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe165⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe166⤵PID:2676
-
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe167⤵PID:2336
-
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe168⤵PID:1696
-
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe169⤵PID:2444
-
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe170⤵PID:1224
-
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe171⤵PID:772
-
C:\Windows\SysWOW64\Kccgheib.exeC:\Windows\system32\Kccgheib.exe172⤵PID:2624
-
C:\Windows\SysWOW64\Kfacdqhf.exeC:\Windows\system32\Kfacdqhf.exe173⤵PID:1588
-
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe174⤵PID:1596
-
C:\Windows\SysWOW64\Kpjhnfof.exeC:\Windows\system32\Kpjhnfof.exe175⤵PID:2704
-
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe176⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe177⤵PID:3100
-
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3140 -
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe179⤵PID:3180
-
C:\Windows\SysWOW64\Lchqcd32.exeC:\Windows\system32\Lchqcd32.exe180⤵PID:3220
-
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3260 -
C:\Windows\SysWOW64\Ljbipolj.exeC:\Windows\system32\Ljbipolj.exe182⤵PID:3300
-
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe183⤵PID:3340
-
C:\Windows\SysWOW64\Lpoaheja.exeC:\Windows\system32\Lpoaheja.exe184⤵PID:3380
-
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe185⤵
- Drops file in System32 directory
PID:3420 -
C:\Windows\SysWOW64\Lfhiepbn.exeC:\Windows\system32\Lfhiepbn.exe186⤵
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe187⤵PID:3500
-
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe188⤵PID:3540
-
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe189⤵
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe190⤵PID:3620
-
C:\Windows\SysWOW64\Lenffl32.exeC:\Windows\system32\Lenffl32.exe191⤵PID:3660
-
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe192⤵
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Windows\SysWOW64\Lpckce32.exeC:\Windows\system32\Lpckce32.exe193⤵PID:3740
-
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe194⤵PID:3780
-
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe195⤵PID:3820
-
C:\Windows\SysWOW64\Lilomj32.exeC:\Windows\system32\Lilomj32.exe196⤵PID:3860
-
C:\Windows\SysWOW64\Lkmldbcj.exeC:\Windows\system32\Lkmldbcj.exe197⤵PID:3900
-
C:\Windows\SysWOW64\Lkmldbcj.exeC:\Windows\system32\Lkmldbcj.exe198⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3928 -
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe199⤵PID:3952
-
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe200⤵PID:3992
-
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe201⤵PID:4032
-
C:\Windows\SysWOW64\Mllhne32.exeC:\Windows\system32\Mllhne32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4072 -
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe203⤵PID:3076
-
C:\Windows\SysWOW64\Mmndfnpl.exeC:\Windows\system32\Mmndfnpl.exe204⤵PID:3128
-
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe205⤵
- System Location Discovery: System Language Discovery
PID:3152 -
C:\Windows\SysWOW64\Mgfiocfl.exeC:\Windows\system32\Mgfiocfl.exe206⤵
- Drops file in System32 directory
PID:3236 -
C:\Windows\SysWOW64\Momapqgn.exeC:\Windows\system32\Momapqgn.exe207⤵PID:3276
-
C:\Windows\SysWOW64\Mpnngi32.exeC:\Windows\system32\Mpnngi32.exe208⤵PID:3332
-
C:\Windows\SysWOW64\Mdjihgef.exeC:\Windows\system32\Mdjihgef.exe209⤵PID:3364
-
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe210⤵
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Migbpocm.exeC:\Windows\system32\Migbpocm.exe211⤵PID:3488
-
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe212⤵PID:3536
-
C:\Windows\SysWOW64\Mdlfngcc.exeC:\Windows\system32\Mdlfngcc.exe213⤵PID:3588
-
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe214⤵PID:3640
-
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3680 -
C:\Windows\SysWOW64\Mmdkfmjc.exeC:\Windows\system32\Mmdkfmjc.exe216⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3728 -
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe217⤵
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe218⤵
- Drops file in System32 directory
PID:3828 -
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe219⤵PID:3832
-
C:\Windows\SysWOW64\Nmggllha.exeC:\Windows\system32\Nmggllha.exe220⤵PID:3936
-
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3984 -
C:\Windows\SysWOW64\Nohddd32.exeC:\Windows\system32\Nohddd32.exe222⤵PID:4040
-
C:\Windows\SysWOW64\Ngoleb32.exeC:\Windows\system32\Ngoleb32.exe223⤵PID:4092
-
C:\Windows\SysWOW64\Ninhamne.exeC:\Windows\system32\Ninhamne.exe224⤵PID:292
-
C:\Windows\SysWOW64\Nlldmimi.exeC:\Windows\system32\Nlldmimi.exe225⤵PID:3176
-
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe226⤵PID:3204
-
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe227⤵PID:3288
-
C:\Windows\SysWOW64\Nedifo32.exeC:\Windows\system32\Nedifo32.exe228⤵PID:3356
-
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe229⤵PID:3412
-
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe230⤵PID:3436
-
C:\Windows\SysWOW64\Nchipb32.exeC:\Windows\system32\Nchipb32.exe231⤵PID:3556
-
C:\Windows\SysWOW64\Negeln32.exeC:\Windows\system32\Negeln32.exe232⤵PID:3608
-
C:\Windows\SysWOW64\Nhebhipj.exeC:\Windows\system32\Nhebhipj.exe233⤵PID:3668
-
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe234⤵PID:3712
-
C:\Windows\SysWOW64\Nnbjpqoa.exeC:\Windows\system32\Nnbjpqoa.exe235⤵PID:3796
-
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe236⤵
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Ndlbmk32.exeC:\Windows\system32\Ndlbmk32.exe237⤵PID:3912
-
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe238⤵PID:3980
-
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe239⤵PID:4056
-
C:\Windows\SysWOW64\Oapcfo32.exeC:\Windows\system32\Oapcfo32.exe240⤵
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Odnobj32.exeC:\Windows\system32\Odnobj32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3160 -
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe242⤵PID:3256