Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
96KB
-
MD5
f4c0aae9837f944b6b86baf2dfd70710
-
SHA1
8073119bac68ce93f3b767c00f4d19060ad13678
-
SHA256
37f50f52cdc8a9778cde4977708c6369a517c697e79c5b4b5e7a2b1fae219551
-
SHA512
c9b485e8e725d05d618ae8758a4d5b5a1f41c3f9725c7282cb7d03c9325b618a4d33ebb3f06385bfd46e97c7c148b6a1e02f94b1455f3b42f66d0f065e09fe5b
-
SSDEEP
1536:ZmLyPhJqAxQSTCVAhX8Gm9T1WD57LtduV9jojTIvjrH:ZmOPh4OpuVAhjm9T8lLtd69jc0vf
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkeialfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aieihpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppacfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbkljd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephhmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgbpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolffjap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecdhonoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiflgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blklfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkihli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfigdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndfbia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niednn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclfigao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naqkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keodflee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfnaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nliqoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcikllja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akhopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbkljd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofdicodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmbkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anlkakqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbcjfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnoapba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhimaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekgfkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfabfldd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdohg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akjjifji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnefiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laidie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hepdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmqckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfanep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmmhmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajcpgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmlekj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmfbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdejpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olfkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deedfacn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjbaooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaffja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbpjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiqpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aieihpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljogknmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebccal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpeojha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkglim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noighakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibcgb32.exe -
Executes dropped EXE 64 IoCs
pid Process 396 Acbieing.exe 2928 Afqeaemk.exe 2748 Afeold32.exe 2936 Bncpffdn.exe 2640 Bqciha32.exe 2460 Bjnjfffm.exe 2872 Bcgoolln.exe 2524 Conpdm32.exe 1684 Ckdpinhf.exe 2892 Cgmndokg.exe 952 Cjngej32.exe 1792 Dmopge32.exe 3056 Dhdddnep.exe 2340 Dbqajk32.exe 2212 Dlifcqfl.exe 528 Eiocbd32.exe 2536 Ebghkjjc.exe 2584 Emailhfb.exe 2148 Ehgmiq32.exe 1020 Ekgfkl32.exe 1704 Epdncb32.exe 916 Fgnfpm32.exe 1464 Fcgdjmlo.exe 1132 Fhfihd32.exe 2476 Faonqiod.exe 1716 Gocnjn32.exe 2836 Gacgli32.exe 3028 Ggppdpif.exe 2924 Gcimop32.exe 2904 Hjfbaj32.exe 2660 Hfmbfkhf.exe 2112 Hkiknb32.exe 932 Himkgf32.exe 1636 Hnomkloi.exe 2692 Imkqmh32.exe 2996 Jbjejojn.exe 752 Jhgnbehe.exe 3036 Jocceo32.exe 2240 Jdplmflg.exe 2336 Kdeehe32.exe 1312 Kfenjq32.exe 1492 Kidjfl32.exe 1712 Kifgllbc.exe 2484 Kbokda32.exe 780 Kpblne32.exe 1744 Keodflee.exe 3020 Lccepqdo.exe 2184 Lllihf32.exe 1504 Lednal32.exe 1596 Lkafib32.exe 2772 Lpnobi32.exe 2780 Lamkllea.exe 2948 Lgjcdc32.exe 2988 Llgllj32.exe 2672 Mliibj32.exe 2608 Mccaodgj.exe 2092 Mjmiknng.exe 2860 Mojaceln.exe 2896 Mkqbhf32.exe 3048 Mhdcbjal.exe 1688 Mkconepp.exe 2252 Mfhcknpf.exe 2328 Mgjpcf32.exe 756 Nbodpo32.exe -
Loads dropped DLL 64 IoCs
pid Process 1424 Backdoor.Win32.Padodor.SK.exe 1424 Backdoor.Win32.Padodor.SK.exe 396 Acbieing.exe 396 Acbieing.exe 2928 Afqeaemk.exe 2928 Afqeaemk.exe 2748 Afeold32.exe 2748 Afeold32.exe 2936 Bncpffdn.exe 2936 Bncpffdn.exe 2640 Bqciha32.exe 2640 Bqciha32.exe 2460 Bjnjfffm.exe 2460 Bjnjfffm.exe 2872 Bcgoolln.exe 2872 Bcgoolln.exe 2524 Conpdm32.exe 2524 Conpdm32.exe 1684 Ckdpinhf.exe 1684 Ckdpinhf.exe 2892 Cgmndokg.exe 2892 Cgmndokg.exe 952 Cjngej32.exe 952 Cjngej32.exe 1792 Dmopge32.exe 1792 Dmopge32.exe 3056 Dhdddnep.exe 3056 Dhdddnep.exe 2340 Dbqajk32.exe 2340 Dbqajk32.exe 2212 Dlifcqfl.exe 2212 Dlifcqfl.exe 528 Eiocbd32.exe 528 Eiocbd32.exe 2536 Ebghkjjc.exe 2536 Ebghkjjc.exe 2584 Emailhfb.exe 2584 Emailhfb.exe 2148 Ehgmiq32.exe 2148 Ehgmiq32.exe 1020 Ekgfkl32.exe 1020 Ekgfkl32.exe 1704 Epdncb32.exe 1704 Epdncb32.exe 916 Fgnfpm32.exe 916 Fgnfpm32.exe 1464 Fcgdjmlo.exe 1464 Fcgdjmlo.exe 1132 Fhfihd32.exe 1132 Fhfihd32.exe 2476 Faonqiod.exe 2476 Faonqiod.exe 1716 Gocnjn32.exe 1716 Gocnjn32.exe 2836 Gacgli32.exe 2836 Gacgli32.exe 3028 Ggppdpif.exe 3028 Ggppdpif.exe 2924 Gcimop32.exe 2924 Gcimop32.exe 2904 Hjfbaj32.exe 2904 Hjfbaj32.exe 2660 Hfmbfkhf.exe 2660 Hfmbfkhf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Naqkki32.exe Nhhfbd32.exe File created C:\Windows\SysWOW64\Hekfpo32.exe Hkbagjfi.exe File created C:\Windows\SysWOW64\Alnndlmh.dll Ggekhhle.exe File opened for modification C:\Windows\SysWOW64\Qmlief32.exe Pbfehn32.exe File created C:\Windows\SysWOW64\Hkifld32.exe Hobfgcdb.exe File created C:\Windows\SysWOW64\Cljiqf32.dll Mpmfoodb.exe File opened for modification C:\Windows\SysWOW64\Fmnoapba.exe Fcfjik32.exe File created C:\Windows\SysWOW64\Opoonh32.dll Bfgikgjq.exe File created C:\Windows\SysWOW64\Meeqkijg.exe Mmjlfgml.exe File created C:\Windows\SysWOW64\Jmqckf32.exe Jgdkbo32.exe File created C:\Windows\SysWOW64\Dbpmba32.dll Joohmk32.exe File created C:\Windows\SysWOW64\Lhqpqp32.exe Lbdghi32.exe File created C:\Windows\SysWOW64\Ekicjlai.exe Edokna32.exe File opened for modification C:\Windows\SysWOW64\Qiqpmp32.exe Pinchq32.exe File created C:\Windows\SysWOW64\Pdnfalea.exe Plbbmjhf.exe File opened for modification C:\Windows\SysWOW64\Daibfa32.exe Dohiefpc.exe File created C:\Windows\SysWOW64\Abcpho32.dll Pajjpk32.exe File opened for modification C:\Windows\SysWOW64\Fphgpnhm.exe Fdafkm32.exe File opened for modification C:\Windows\SysWOW64\Jdoblckh.exe Jndjoi32.exe File created C:\Windows\SysWOW64\Dlmdgdnq.dll Fnodob32.exe File opened for modification C:\Windows\SysWOW64\Jfnaok32.exe Jijqeg32.exe File created C:\Windows\SysWOW64\Qabojbcg.dll Hkljljko.exe File opened for modification C:\Windows\SysWOW64\Bigpdjpm.exe Bpokkdim.exe File created C:\Windows\SysWOW64\Fdhdlh32.dll Jcnloa32.exe File opened for modification C:\Windows\SysWOW64\Dmbpaa32.exe Ddjkhl32.exe File created C:\Windows\SysWOW64\Bhdmahpn.exe Aajedn32.exe File created C:\Windows\SysWOW64\Fqbacl32.dll Bgjknijp.exe File opened for modification C:\Windows\SysWOW64\Iodolf32.exe Ihjfolmn.exe File created C:\Windows\SysWOW64\Ogmmlppd.dll Jmcbio32.exe File opened for modification C:\Windows\SysWOW64\Koogdg32.exe Kjbnlqld.exe File created C:\Windows\SysWOW64\Fchgnj32.exe Fmnoapba.exe File created C:\Windows\SysWOW64\Biegpl32.exe Bqjcli32.exe File opened for modification C:\Windows\SysWOW64\Diljpn32.exe Cpdeghgk.exe File opened for modification C:\Windows\SysWOW64\Kkglim32.exe Kanhph32.exe File created C:\Windows\SysWOW64\Cfmceomm.exe Cobkhe32.exe File created C:\Windows\SysWOW64\Eiggim32.dll Nnnmoh32.exe File created C:\Windows\SysWOW64\Onloqmmk.dll Ddoiei32.exe File created C:\Windows\SysWOW64\Coidpiac.exe Baecgdbj.exe File created C:\Windows\SysWOW64\Gpfeoqmf.exe Gbbdemnl.exe File opened for modification C:\Windows\SysWOW64\Qnkdeagl.exe Qhnlmjie.exe File created C:\Windows\SysWOW64\Fmbkfd32.exe Fmpnpe32.exe File created C:\Windows\SysWOW64\Ickoimie.exe Ijbjpg32.exe File created C:\Windows\SysWOW64\Iaheqe32.exe Igoagpja.exe File opened for modification C:\Windows\SysWOW64\Qifnjm32.exe Qajiek32.exe File opened for modification C:\Windows\SysWOW64\Ibmhjc32.exe Ihedan32.exe File created C:\Windows\SysWOW64\Licidced.dll Bncpffdn.exe File created C:\Windows\SysWOW64\Deljfqmf.exe Dnbbjf32.exe File created C:\Windows\SysWOW64\Linanl32.exe Lbdiabcg.exe File created C:\Windows\SysWOW64\Edlmlclc.dll Edfqclni.exe File opened for modification C:\Windows\SysWOW64\Iqdbqp32.exe Idnako32.exe File created C:\Windows\SysWOW64\Pildih32.exe Paqoef32.exe File created C:\Windows\SysWOW64\Eafapd32.exe Eljihn32.exe File opened for modification C:\Windows\SysWOW64\Ppacfg32.exe Pdjcaf32.exe File created C:\Windows\SysWOW64\Fdldmokn.exe Epnkfq32.exe File created C:\Windows\SysWOW64\Gacgli32.exe Gocnjn32.exe File created C:\Windows\SysWOW64\Conbmfif.exe Cjaieoko.exe File created C:\Windows\SysWOW64\Nliqoofa.exe Npbpjn32.exe File created C:\Windows\SysWOW64\Hidjml32.exe Gjmpfp32.exe File created C:\Windows\SysWOW64\Mfmekd32.exe Mpcmojia.exe File created C:\Windows\SysWOW64\Gcjaimek.dll Pmamliin.exe File created C:\Windows\SysWOW64\Kncmknkg.exe Kbllfmfc.exe File opened for modification C:\Windows\SysWOW64\Ckhdihlp.exe Coacdg32.exe File created C:\Windows\SysWOW64\Acjggeal.dll Nmglpjak.exe File created C:\Windows\SysWOW64\Knfjemna.dll Knckbe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1204 2632 WerFault.exe 948 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncndnlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cghpgbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljogknmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coacdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmjpoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbaelej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiioanpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obngnphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkifld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcikllja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajokmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdojendk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpgae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnkjfcik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcingnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifcqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijbjpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdlidjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahpahel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcaaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflcplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnfalea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpcgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpfmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjdmggb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfalpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhgnagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghaeaaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkglim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihedan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffejk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdkmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiepga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minnmomo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boggkicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfanep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgkqmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjqlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmonoli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olklmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhabfibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnlfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllihf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhakp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indiodbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbfehn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlkakqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnadiko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqmbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibnppn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjngej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fioajqmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmfoodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdddnep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfaof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmndokg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noffadai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfiajj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kceganoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ickoimie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Foacmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pegaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lppgfkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfganlfn.dll" Qcigjolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccqnmgpk.dll" Koogdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnaadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmcceiaj.dll" Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgfcabeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iodlcnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfbofjn.dll" Idnako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cigajqmq.dll" Mpgdaqmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjimepm.dll" Mdfejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejkdjfk.dll" Nlnlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbkplni.dll" Jckiolgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdbqflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpoghg32.dll" Geplpfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhpjfoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liohhbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inqjbhhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nccmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bplofekp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jllggbde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkigbef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blklfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffndghdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phcbmend.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ephhmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bglghdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egdnjlcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpoqm32.dll" Mcdkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmickpbi.dll" Peakkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkcjlhdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcckjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pefmkpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggjmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcllmmbh.dll" Dmopge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afelbkca.dll" Gfkagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnblkahe.dll" Apbeeppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olclimif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcnloa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plbbmjhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhaqbbc.dll" Bggohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhkok32.dll" Oakcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alfflhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlidpopk.dll" Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dghekobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmmpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemgmgcg.dll" Pdnfalea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onkmhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbglgcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omkidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoeidfog.dll" Bkheal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjlhcegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnhakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkmkh32.dll" Gcimop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maieqidm.dll" Icnealbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadhch.dll" Jqeqhlii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gflcplhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckmfbf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1424 wrote to memory of 396 1424 Backdoor.Win32.Padodor.SK.exe 29 PID 1424 wrote to memory of 396 1424 Backdoor.Win32.Padodor.SK.exe 29 PID 1424 wrote to memory of 396 1424 Backdoor.Win32.Padodor.SK.exe 29 PID 1424 wrote to memory of 396 1424 Backdoor.Win32.Padodor.SK.exe 29 PID 396 wrote to memory of 2928 396 Acbieing.exe 30 PID 396 wrote to memory of 2928 396 Acbieing.exe 30 PID 396 wrote to memory of 2928 396 Acbieing.exe 30 PID 396 wrote to memory of 2928 396 Acbieing.exe 30 PID 2928 wrote to memory of 2748 2928 Afqeaemk.exe 31 PID 2928 wrote to memory of 2748 2928 Afqeaemk.exe 31 PID 2928 wrote to memory of 2748 2928 Afqeaemk.exe 31 PID 2928 wrote to memory of 2748 2928 Afqeaemk.exe 31 PID 2748 wrote to memory of 2936 2748 Afeold32.exe 32 PID 2748 wrote to memory of 2936 2748 Afeold32.exe 32 PID 2748 wrote to memory of 2936 2748 Afeold32.exe 32 PID 2748 wrote to memory of 2936 2748 Afeold32.exe 32 PID 2936 wrote to memory of 2640 2936 Bncpffdn.exe 33 PID 2936 wrote to memory of 2640 2936 Bncpffdn.exe 33 PID 2936 wrote to memory of 2640 2936 Bncpffdn.exe 33 PID 2936 wrote to memory of 2640 2936 Bncpffdn.exe 33 PID 2640 wrote to memory of 2460 2640 Bqciha32.exe 34 PID 2640 wrote to memory of 2460 2640 Bqciha32.exe 34 PID 2640 wrote to memory of 2460 2640 Bqciha32.exe 34 PID 2640 wrote to memory of 2460 2640 Bqciha32.exe 34 PID 2460 wrote to memory of 2872 2460 Bjnjfffm.exe 35 PID 2460 wrote to memory of 2872 2460 Bjnjfffm.exe 35 PID 2460 wrote to memory of 2872 2460 Bjnjfffm.exe 35 PID 2460 wrote to memory of 2872 2460 Bjnjfffm.exe 35 PID 2872 wrote to memory of 2524 2872 Bcgoolln.exe 36 PID 2872 wrote to memory of 2524 2872 Bcgoolln.exe 36 PID 2872 wrote to memory of 2524 2872 Bcgoolln.exe 36 PID 2872 wrote to memory of 2524 2872 Bcgoolln.exe 36 PID 2524 wrote to memory of 1684 2524 Conpdm32.exe 37 PID 2524 wrote to memory of 1684 2524 Conpdm32.exe 37 PID 2524 wrote to memory of 1684 2524 Conpdm32.exe 37 PID 2524 wrote to memory of 1684 2524 Conpdm32.exe 37 PID 1684 wrote to memory of 2892 1684 Ckdpinhf.exe 38 PID 1684 wrote to memory of 2892 1684 Ckdpinhf.exe 38 PID 1684 wrote to memory of 2892 1684 Ckdpinhf.exe 38 PID 1684 wrote to memory of 2892 1684 Ckdpinhf.exe 38 PID 2892 wrote to memory of 952 2892 Cgmndokg.exe 39 PID 2892 wrote to memory of 952 2892 Cgmndokg.exe 39 PID 2892 wrote to memory of 952 2892 Cgmndokg.exe 39 PID 2892 wrote to memory of 952 2892 Cgmndokg.exe 39 PID 952 wrote to memory of 1792 952 Cjngej32.exe 40 PID 952 wrote to memory of 1792 952 Cjngej32.exe 40 PID 952 wrote to memory of 1792 952 Cjngej32.exe 40 PID 952 wrote to memory of 1792 952 Cjngej32.exe 40 PID 1792 wrote to memory of 3056 1792 Dmopge32.exe 41 PID 1792 wrote to memory of 3056 1792 Dmopge32.exe 41 PID 1792 wrote to memory of 3056 1792 Dmopge32.exe 41 PID 1792 wrote to memory of 3056 1792 Dmopge32.exe 41 PID 3056 wrote to memory of 2340 3056 Dhdddnep.exe 42 PID 3056 wrote to memory of 2340 3056 Dhdddnep.exe 42 PID 3056 wrote to memory of 2340 3056 Dhdddnep.exe 42 PID 3056 wrote to memory of 2340 3056 Dhdddnep.exe 42 PID 2340 wrote to memory of 2212 2340 Dbqajk32.exe 43 PID 2340 wrote to memory of 2212 2340 Dbqajk32.exe 43 PID 2340 wrote to memory of 2212 2340 Dbqajk32.exe 43 PID 2340 wrote to memory of 2212 2340 Dbqajk32.exe 43 PID 2212 wrote to memory of 528 2212 Dlifcqfl.exe 44 PID 2212 wrote to memory of 528 2212 Dlifcqfl.exe 44 PID 2212 wrote to memory of 528 2212 Dlifcqfl.exe 44 PID 2212 wrote to memory of 528 2212 Dlifcqfl.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Bncpffdn.exeC:\Windows\system32\Bncpffdn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Bcgoolln.exeC:\Windows\system32\Bcgoolln.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Conpdm32.exeC:\Windows\system32\Conpdm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Cjngej32.exeC:\Windows\system32\Cjngej32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Dmopge32.exeC:\Windows\system32\Dmopge32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Dbqajk32.exeC:\Windows\system32\Dbqajk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Dlifcqfl.exeC:\Windows\system32\Dlifcqfl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:528 -
C:\Windows\SysWOW64\Ebghkjjc.exeC:\Windows\system32\Ebghkjjc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Ehgmiq32.exeC:\Windows\system32\Ehgmiq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Ekgfkl32.exeC:\Windows\system32\Ekgfkl32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Fgnfpm32.exeC:\Windows\system32\Fgnfpm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Ggppdpif.exeC:\Windows\system32\Ggppdpif.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Gcimop32.exeC:\Windows\system32\Gcimop32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe33⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Himkgf32.exeC:\Windows\system32\Himkgf32.exe34⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe35⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe36⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe37⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe38⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Jocceo32.exeC:\Windows\system32\Jocceo32.exe39⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe40⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Kfenjq32.exeC:\Windows\system32\Kfenjq32.exe42⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Kidjfl32.exeC:\Windows\system32\Kidjfl32.exe43⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Kifgllbc.exeC:\Windows\system32\Kifgllbc.exe44⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Kbokda32.exeC:\Windows\system32\Kbokda32.exe45⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Kpblne32.exeC:\Windows\system32\Kpblne32.exe46⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Keodflee.exeC:\Windows\system32\Keodflee.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Lccepqdo.exeC:\Windows\system32\Lccepqdo.exe48⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Lllihf32.exeC:\Windows\system32\Lllihf32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Lednal32.exeC:\Windows\system32\Lednal32.exe50⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Lkafib32.exeC:\Windows\system32\Lkafib32.exe51⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Lpnobi32.exeC:\Windows\system32\Lpnobi32.exe52⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe53⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe54⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Llgllj32.exeC:\Windows\system32\Llgllj32.exe55⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Mliibj32.exeC:\Windows\system32\Mliibj32.exe56⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Mccaodgj.exeC:\Windows\system32\Mccaodgj.exe57⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mjmiknng.exeC:\Windows\system32\Mjmiknng.exe58⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Mojaceln.exeC:\Windows\system32\Mojaceln.exe59⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe60⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mhdcbjal.exeC:\Windows\system32\Mhdcbjal.exe61⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe62⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe63⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe64⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Nbodpo32.exeC:\Windows\system32\Nbodpo32.exe65⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe66⤵PID:1528
-
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe67⤵
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Nnhakp32.exeC:\Windows\system32\Nnhakp32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Ngafdepl.exeC:\Windows\system32\Ngafdepl.exe69⤵PID:2956
-
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe70⤵PID:2136
-
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe71⤵PID:2760
-
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe72⤵PID:2980
-
C:\Windows\SysWOW64\Nfhpjaba.exeC:\Windows\system32\Nfhpjaba.exe73⤵PID:2708
-
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe74⤵PID:2624
-
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe75⤵PID:972
-
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe76⤵PID:2876
-
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe77⤵PID:2464
-
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe78⤵PID:2968
-
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe79⤵PID:1284
-
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe80⤵PID:2404
-
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe81⤵PID:2156
-
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe82⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe83⤵PID:1168
-
C:\Windows\SysWOW64\Pdllci32.exeC:\Windows\system32\Pdllci32.exe84⤵PID:1532
-
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe85⤵PID:1964
-
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe86⤵PID:2576
-
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe87⤵PID:2712
-
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe88⤵PID:2740
-
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe89⤵PID:2756
-
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe90⤵PID:2080
-
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe91⤵PID:2704
-
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe92⤵PID:1732
-
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:664 -
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe94⤵PID:2100
-
C:\Windows\SysWOW64\Akfaof32.exeC:\Windows\system32\Akfaof32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe96⤵PID:1624
-
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe97⤵PID:2224
-
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe98⤵PID:1452
-
C:\Windows\SysWOW64\Akjjifji.exeC:\Windows\system32\Akjjifji.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:588 -
C:\Windows\SysWOW64\Adcobk32.exeC:\Windows\system32\Adcobk32.exe100⤵PID:2500
-
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe101⤵PID:1000
-
C:\Windows\SysWOW64\Alncgn32.exeC:\Windows\system32\Alncgn32.exe102⤵PID:1568
-
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe103⤵PID:2788
-
C:\Windows\SysWOW64\Annpaq32.exeC:\Windows\system32\Annpaq32.exe104⤵PID:2944
-
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe105⤵
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe106⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe107⤵PID:2424
-
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe108⤵PID:284
-
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe109⤵PID:2260
-
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe111⤵PID:1824
-
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe112⤵PID:2324
-
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe113⤵PID:2468
-
C:\Windows\SysWOW64\Deimaa32.exeC:\Windows\system32\Deimaa32.exe114⤵PID:1368
-
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe115⤵PID:2664
-
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe116⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe117⤵PID:2752
-
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe118⤵PID:2884
-
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe119⤵PID:1060
-
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe120⤵PID:2372
-
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe122⤵PID:1044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-