Analysis
-
max time kernel
66s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 10:42
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
93KB
-
MD5
91849a05f965eb8b47838d3de6311fb0
-
SHA1
e7b434a967d8d8252ee6e140d4a4b8df528f3f49
-
SHA256
4c0acc08421e64177dec2fbb8baf0ad77e427e59c17fe049b85dfef70497a645
-
SHA512
d1f441bff5c59bef2caefa7908511d076aceade8466d4d7a1a17419937f518691cd9b56cdac77d1be0dc4e7a56e053f8f20860b3f669b891dc74783370fddcbe
-
SSDEEP
1536:ejW/8gomh5BvDZPvHhi9pM1Er84JMDpGBuGA35JtpXW9i1Tdjiwg58:+WUgoQ5Bv1HhiC4JMDpffp4i1ZY58
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ifgicg32.exeDpegcq32.exeBdqlajbb.exeEdaalk32.exeEcfnmh32.exeFabaocfl.exeDdiibc32.exeJhoice32.exeKgfoie32.exeIjphofem.exeBckjhl32.exeDljmlj32.exeMiehak32.exePlolgk32.exeAccqnc32.exeFmegncpp.exeJhjphfgi.exeKbigpn32.exeGolbnm32.exeCjakccop.exeDlfgcl32.exeGepafc32.exeOibmpl32.exeBoljgg32.exeCjgoje32.exeLjnnko32.exeFmkilb32.exeCjjkpe32.exeFhbnbpjc.exeHidcef32.exeKdnild32.exeCenljmgq.exeMclebc32.exePkcbnanl.exeGjbpne32.exeBffbdadk.exeCkmnbg32.exeGconbj32.exeEoompl32.exeGnkmqkbi.exeMngjeamd.exePgpgjepk.exeNmfbpk32.exeCmjdaqgi.exeKjahej32.exeLdllgiek.exePjcmap32.exeDogpdg32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpegcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edaalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfnmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabaocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhoice32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dljmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Accqnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmegncpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjphfgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjakccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfgcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oibmpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddiibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmkilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhbnbpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidcef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cenljmgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjbpne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffbdadk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoompl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkmqkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mngjeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldllgiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcmap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogpdg32.exe -
Executes dropped EXE 64 IoCs
Processes:
Bmbemb32.exeBncaekhp.exeCiifbchf.exeCpcnonob.exeCadjgf32.exeCljodo32.exeCjmopkla.exeCebcmdlg.exeCllkin32.exeCojhejbh.exeCmmhaf32.exeChcloo32.exeComdkipe.exeCakqgeoi.exeCheido32.exeCkcepj32.exeDanmmd32.exeDbojdmcd.exeDgjfek32.exeDlgnmb32.exeDpcjnabn.exeDgmbkk32.exeDepbfhpe.exeDljkcb32.exeDpegcq32.exeDgoopkgh.exeDllhhaep.exeDojddmec.exeDedlag32.exeDiphbfdi.exeDomqjm32.exeDakmfh32.exeDdiibc32.exeEoompl32.exeEamilh32.exeEeielfhk.exeEdlfhc32.exeEpbfmd32.exeEhjona32.exeEkhkjm32.exeEjkkfjkj.exeEabcggll.exeEccpoo32.exeEniclh32.exeEpgphcqd.exeEdclib32.exeEcfldoph.exeEgahen32.exeEjpdai32.exeEnkpahon.exeElnqmd32.exeEqjmncna.exeFchijone.exeFgcejm32.exeFjbafi32.exeFlqmbd32.exeFoojop32.exeFcjeon32.exeFbmfkkbm.exeFfibkj32.exeFhgnge32.exeFkejcq32.exeFoafdoag.exeFbpbpkpj.exepid process 2100 Bmbemb32.exe 1360 Bncaekhp.exe 2292 Ciifbchf.exe 2844 Cpcnonob.exe 2996 Cadjgf32.exe 2852 Cljodo32.exe 2600 Cjmopkla.exe 1916 Cebcmdlg.exe 1624 Cllkin32.exe 2912 Cojhejbh.exe 1248 Cmmhaf32.exe 1484 Chcloo32.exe 808 Comdkipe.exe 2316 Cakqgeoi.exe 1492 Cheido32.exe 1864 Ckcepj32.exe 840 Danmmd32.exe 556 Dbojdmcd.exe 1324 Dgjfek32.exe 2072 Dlgnmb32.exe 1736 Dpcjnabn.exe 888 Dgmbkk32.exe 2992 Depbfhpe.exe 872 Dljkcb32.exe 2392 Dpegcq32.exe 864 Dgoopkgh.exe 2356 Dllhhaep.exe 2552 Dojddmec.exe 3012 Dedlag32.exe 2208 Diphbfdi.exe 1748 Domqjm32.exe 2608 Dakmfh32.exe 2320 Ddiibc32.exe 480 Eoompl32.exe 2772 Eamilh32.exe 564 Eeielfhk.exe 1852 Edlfhc32.exe 1680 Epbfmd32.exe 1760 Ehjona32.exe 1992 Ekhkjm32.exe 700 Ejkkfjkj.exe 1240 Eabcggll.exe 2556 Eccpoo32.exe 952 Eniclh32.exe 308 Epgphcqd.exe 2240 Edclib32.exe 2384 Ecfldoph.exe 2212 Egahen32.exe 2192 Ejpdai32.exe 1232 Enkpahon.exe 2184 Elnqmd32.exe 2700 Eqjmncna.exe 2604 Fchijone.exe 2824 Fgcejm32.exe 2332 Fjbafi32.exe 2860 Flqmbd32.exe 2684 Foojop32.exe 2888 Fcjeon32.exe 1908 Fbmfkkbm.exe 2116 Ffibkj32.exe 1060 Fhgnge32.exe 2576 Fkejcq32.exe 1824 Foafdoag.exe 1548 Fbpbpkpj.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeBmbemb32.exeBncaekhp.exeCiifbchf.exeCpcnonob.exeCadjgf32.exeCljodo32.exeCjmopkla.exeCebcmdlg.exeCllkin32.exeCojhejbh.exeCmmhaf32.exeChcloo32.exeComdkipe.exeCakqgeoi.exeCheido32.exeCkcepj32.exeDanmmd32.exeDbojdmcd.exeDgjfek32.exeDlgnmb32.exeDpcjnabn.exeDgmbkk32.exeDepbfhpe.exeDljkcb32.exeDpegcq32.exeDgoopkgh.exeDllhhaep.exeDojddmec.exeDedlag32.exeDiphbfdi.exeDomqjm32.exepid process 2452 Backdoor.Win32.Padodor.SK.exe 2452 Backdoor.Win32.Padodor.SK.exe 2100 Bmbemb32.exe 2100 Bmbemb32.exe 1360 Bncaekhp.exe 1360 Bncaekhp.exe 2292 Ciifbchf.exe 2292 Ciifbchf.exe 2844 Cpcnonob.exe 2844 Cpcnonob.exe 2996 Cadjgf32.exe 2996 Cadjgf32.exe 2852 Cljodo32.exe 2852 Cljodo32.exe 2600 Cjmopkla.exe 2600 Cjmopkla.exe 1916 Cebcmdlg.exe 1916 Cebcmdlg.exe 1624 Cllkin32.exe 1624 Cllkin32.exe 2912 Cojhejbh.exe 2912 Cojhejbh.exe 1248 Cmmhaf32.exe 1248 Cmmhaf32.exe 1484 Chcloo32.exe 1484 Chcloo32.exe 808 Comdkipe.exe 808 Comdkipe.exe 2316 Cakqgeoi.exe 2316 Cakqgeoi.exe 1492 Cheido32.exe 1492 Cheido32.exe 1864 Ckcepj32.exe 1864 Ckcepj32.exe 840 Danmmd32.exe 840 Danmmd32.exe 556 Dbojdmcd.exe 556 Dbojdmcd.exe 1324 Dgjfek32.exe 1324 Dgjfek32.exe 2072 Dlgnmb32.exe 2072 Dlgnmb32.exe 1736 Dpcjnabn.exe 1736 Dpcjnabn.exe 888 Dgmbkk32.exe 888 Dgmbkk32.exe 2992 Depbfhpe.exe 2992 Depbfhpe.exe 872 Dljkcb32.exe 872 Dljkcb32.exe 2392 Dpegcq32.exe 2392 Dpegcq32.exe 864 Dgoopkgh.exe 864 Dgoopkgh.exe 2356 Dllhhaep.exe 2356 Dllhhaep.exe 2552 Dojddmec.exe 2552 Dojddmec.exe 3012 Dedlag32.exe 3012 Dedlag32.exe 2208 Diphbfdi.exe 2208 Diphbfdi.exe 1748 Domqjm32.exe 1748 Domqjm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jhoice32.exeFmkilb32.exePebpkk32.exeEphbal32.exeFhdjgoha.exeFgigil32.exeGoplilpf.exeOiffkkbk.exeAdifpk32.exeDnpciaef.exeJbpdeogo.exeMacilmnk.exeNijnln32.exeDddimn32.exeImahkg32.exeLgehno32.exeIjnkifgp.exeFmegncpp.exeIlcoce32.exeJepmgj32.exeKpadhg32.exeFcbecl32.exeOjomdoof.exeIiecgjba.exeJehlkhig.exeEaebeoan.exePohhna32.exeApgagg32.exeBoljgg32.exeCileqlmg.exeCcjoli32.exeCmjdaqgi.exeIlnomp32.exeAojabdlf.exeDfpaic32.exeIbipmiek.exeAfjjed32.exeAgolnbok.exeKfnmpn32.exeKdefgj32.exeCfpldf32.exeEdfbaabj.exeJlkngc32.exeKaompi32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ckeqga32.exe File opened for modification C:\Windows\SysWOW64\Icncgf32.exe File opened for modification C:\Windows\SysWOW64\Jgaiobjn.exe Jhoice32.exe File opened for modification C:\Windows\SysWOW64\Fqfemqod.exe Fmkilb32.exe File created C:\Windows\SysWOW64\Gmoloenf.dll Pebpkk32.exe File created C:\Windows\SysWOW64\Ecfnmh32.exe Ephbal32.exe File created C:\Windows\SysWOW64\Kljdkpfl.exe File created C:\Windows\SysWOW64\Dchdgl32.dll File created C:\Windows\SysWOW64\Fkbgckgd.exe Fhdjgoha.exe File created C:\Windows\SysWOW64\Fjhcegll.exe Fgigil32.exe File created C:\Windows\SysWOW64\Gncldi32.exe Goplilpf.exe File created C:\Windows\SysWOW64\Ohiffh32.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Adifpk32.exe File created C:\Windows\SysWOW64\Gamnel32.dll File opened for modification C:\Windows\SysWOW64\Ohbikbkb.exe File opened for modification C:\Windows\SysWOW64\Feddombd.exe File opened for modification C:\Windows\SysWOW64\Gnfkba32.exe File opened for modification C:\Windows\SysWOW64\Danpemej.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Koflgf32.exe File opened for modification C:\Windows\SysWOW64\Jenpajfb.exe Jbpdeogo.exe File created C:\Windows\SysWOW64\Meoell32.exe Macilmnk.exe File opened for modification C:\Windows\SysWOW64\Nlhjhi32.exe Nijnln32.exe File created C:\Windows\SysWOW64\Fgpomb32.dll Dddimn32.exe File created C:\Windows\SysWOW64\Ejebfdmb.dll Imahkg32.exe File created C:\Windows\SysWOW64\Oepoia32.dll Lgehno32.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Oiffkkbk.exe File opened for modification C:\Windows\SysWOW64\Iiqldc32.exe Ijnkifgp.exe File created C:\Windows\SysWOW64\Nflchkii.exe File created C:\Windows\SysWOW64\Ilalae32.dll File created C:\Windows\SysWOW64\Foccjood.exe Fmegncpp.exe File created C:\Windows\SysWOW64\Alqqcl32.dll Ilcoce32.exe File created C:\Windows\SysWOW64\Nhjpke32.dll Jepmgj32.exe File created C:\Windows\SysWOW64\Fnbdfpji.dll Kpadhg32.exe File created C:\Windows\SysWOW64\Fdkehipd.dll Fcbecl32.exe File created C:\Windows\SysWOW64\Oibmpl32.exe Ojomdoof.exe File created C:\Windows\SysWOW64\Ilcoce32.exe Iiecgjba.exe File created C:\Windows\SysWOW64\Jhebgh32.dll Jehlkhig.exe File created C:\Windows\SysWOW64\Jjipagod.dll Eaebeoan.exe File created C:\Windows\SysWOW64\Jcfoeb32.dll File created C:\Windows\SysWOW64\Hgeelf32.exe File created C:\Windows\SysWOW64\Pmkhjncg.exe Pohhna32.exe File created C:\Windows\SysWOW64\Khoqme32.dll Apgagg32.exe File opened for modification C:\Windows\SysWOW64\Bchfhfeh.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Ckjamgmk.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Cfhkhd32.exe Ccjoli32.exe File opened for modification C:\Windows\SysWOW64\Nlilqbgp.exe File created C:\Windows\SysWOW64\Ijppackl.dll Cmjdaqgi.exe File opened for modification C:\Windows\SysWOW64\Ijqoilii.exe Ilnomp32.exe File opened for modification C:\Windows\SysWOW64\Bkpglbaj.exe File opened for modification C:\Windows\SysWOW64\Emdeok32.exe File created C:\Windows\SysWOW64\Aaimopli.exe Aojabdlf.exe File created C:\Windows\SysWOW64\Debadpeg.exe Dfpaic32.exe File created C:\Windows\SysWOW64\Epbahp32.dll Ibipmiek.exe File opened for modification C:\Windows\SysWOW64\Mdadjd32.exe File created C:\Windows\SysWOW64\Aklabp32.exe File opened for modification C:\Windows\SysWOW64\Aihfap32.exe Afjjed32.exe File created C:\Windows\SysWOW64\Hqjpab32.dll Agolnbok.exe File created C:\Windows\SysWOW64\Hqbbglbj.dll Kfnmpn32.exe File created C:\Windows\SysWOW64\Kllnhg32.exe Kdefgj32.exe File created C:\Windows\SysWOW64\Ciohqa32.exe Cfpldf32.exe File created C:\Windows\SysWOW64\Fhbnbpjc.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Kenoifpb.exe File opened for modification C:\Windows\SysWOW64\Jojkco32.exe Jlkngc32.exe File created C:\Windows\SysWOW64\Kdnild32.exe Kaompi32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 336 604 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fkkfgi32.exeMjaddn32.exeCinafkkd.exeDfmeccao.exeIakgefqe.exeCbblda32.exeCgaaah32.exeJgdfdbhk.exeNagbgl32.exeEacljf32.exeGildahhp.exePanaeb32.exeFlocfmnl.exeJhmofo32.exeKnbhlkkc.exeQaqnkafa.exeFnofjfhk.exeFpjofl32.exeInhanl32.exeMklcadfn.exeOiffkkbk.exeOonldcih.exeEaebeoan.exeBeackp32.exeLgehno32.exeMpgobc32.exeFigmjq32.exeQackpado.exeBmcnqama.exeDkigoimd.exeOaqbln32.exeHejmpqop.exeBgoime32.exeBceibfgj.exeDbojdmcd.exeElajgpmj.exeInlkik32.exeIapgkl32.exeMgedmb32.exeFlhflleb.exeClbnhmjo.exeDgbeiiqe.exeQkfocaki.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkfgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmeccao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdfdbhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gildahhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panaeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flocfmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhmofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbhlkkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqnkafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklcadfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonldcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaebeoan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beackp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgehno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figmjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qackpado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnqama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejmpqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgoime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbojdmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlkik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhflleb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbnhmjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbeiiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe -
Modifies registry class 64 IoCs
Processes:
Aqhhanig.exeEcploipa.exeInjndk32.exeEabepp32.exeNbpeoc32.exeMgedmb32.exeImgnjb32.exeOpaebkmc.exeOopijc32.exeFjhcegll.exeAkabgebj.exeMacilmnk.exeOdhhgkib.exeJdpjba32.exeJioopgef.exeImleli32.exeOfadnq32.exeKnbhlkkc.exeDkigoimd.exeGhajacmo.exeJimbkh32.exeQpbglhjq.exeCegoqlof.exeKcopdb32.exeNfidjbdg.exeKadfkhkf.exeIiecgjba.exeLhnkffeo.exeOidiekdn.exeJmdepg32.exeHkmollme.exeKkgahoel.exeEobchk32.exeFindhdcb.exeJojkco32.exeEoompl32.exeEaebeoan.exeGjgiidkl.exeFhdjgoha.exeAnlhkbhq.exeGnaooi32.exeFjbafi32.exeIllbhp32.exeGneijien.exeAhbekjcf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqhhanig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgahbgk.dll" Injndk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eabepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkcqmgj.dll" Nbpeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaadfcpf.dll" Imgnjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapecq32.dll" Opaebkmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjhcegll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchopn32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Macilmnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odhhgkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpehmcmg.dll" Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knbhlkkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkigoimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eligcnhi.dll" Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoolamp.dll" Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgnph32.dll" Kadfkhkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iiecgjba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhnkffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmnap32.dll" Hkmollme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkgahoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eobchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Findhdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jojkco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgacnjm.dll" Eoompl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eaebeoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjgiidkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdehk32.dll" Fhdjgoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkpdn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjbafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giqhcmil.dll" Illbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gneijien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahbekjcf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeBmbemb32.exeBncaekhp.exeCiifbchf.exeCpcnonob.exeCadjgf32.exeCljodo32.exeCjmopkla.exeCebcmdlg.exeCllkin32.exeCojhejbh.exeCmmhaf32.exeChcloo32.exeComdkipe.exeCakqgeoi.exeCheido32.exedescription pid process target process PID 2452 wrote to memory of 2100 2452 Backdoor.Win32.Padodor.SK.exe Bmbemb32.exe PID 2452 wrote to memory of 2100 2452 Backdoor.Win32.Padodor.SK.exe Bmbemb32.exe PID 2452 wrote to memory of 2100 2452 Backdoor.Win32.Padodor.SK.exe Bmbemb32.exe PID 2452 wrote to memory of 2100 2452 Backdoor.Win32.Padodor.SK.exe Bmbemb32.exe PID 2100 wrote to memory of 1360 2100 Bmbemb32.exe Bncaekhp.exe PID 2100 wrote to memory of 1360 2100 Bmbemb32.exe Bncaekhp.exe PID 2100 wrote to memory of 1360 2100 Bmbemb32.exe Bncaekhp.exe PID 2100 wrote to memory of 1360 2100 Bmbemb32.exe Bncaekhp.exe PID 1360 wrote to memory of 2292 1360 Bncaekhp.exe Ciifbchf.exe PID 1360 wrote to memory of 2292 1360 Bncaekhp.exe Ciifbchf.exe PID 1360 wrote to memory of 2292 1360 Bncaekhp.exe Ciifbchf.exe PID 1360 wrote to memory of 2292 1360 Bncaekhp.exe Ciifbchf.exe PID 2292 wrote to memory of 2844 2292 Ciifbchf.exe Cpcnonob.exe PID 2292 wrote to memory of 2844 2292 Ciifbchf.exe Cpcnonob.exe PID 2292 wrote to memory of 2844 2292 Ciifbchf.exe Cpcnonob.exe PID 2292 wrote to memory of 2844 2292 Ciifbchf.exe Cpcnonob.exe PID 2844 wrote to memory of 2996 2844 Cpcnonob.exe Cadjgf32.exe PID 2844 wrote to memory of 2996 2844 Cpcnonob.exe Cadjgf32.exe PID 2844 wrote to memory of 2996 2844 Cpcnonob.exe Cadjgf32.exe PID 2844 wrote to memory of 2996 2844 Cpcnonob.exe Cadjgf32.exe PID 2996 wrote to memory of 2852 2996 Cadjgf32.exe Cljodo32.exe PID 2996 wrote to memory of 2852 2996 Cadjgf32.exe Cljodo32.exe PID 2996 wrote to memory of 2852 2996 Cadjgf32.exe Cljodo32.exe PID 2996 wrote to memory of 2852 2996 Cadjgf32.exe Cljodo32.exe PID 2852 wrote to memory of 2600 2852 Cljodo32.exe Cjmopkla.exe PID 2852 wrote to memory of 2600 2852 Cljodo32.exe Cjmopkla.exe PID 2852 wrote to memory of 2600 2852 Cljodo32.exe Cjmopkla.exe PID 2852 wrote to memory of 2600 2852 Cljodo32.exe Cjmopkla.exe PID 2600 wrote to memory of 1916 2600 Cjmopkla.exe Cebcmdlg.exe PID 2600 wrote to memory of 1916 2600 Cjmopkla.exe Cebcmdlg.exe PID 2600 wrote to memory of 1916 2600 Cjmopkla.exe Cebcmdlg.exe PID 2600 wrote to memory of 1916 2600 Cjmopkla.exe Cebcmdlg.exe PID 1916 wrote to memory of 1624 1916 Cebcmdlg.exe Cllkin32.exe PID 1916 wrote to memory of 1624 1916 Cebcmdlg.exe Cllkin32.exe PID 1916 wrote to memory of 1624 1916 Cebcmdlg.exe Cllkin32.exe PID 1916 wrote to memory of 1624 1916 Cebcmdlg.exe Cllkin32.exe PID 1624 wrote to memory of 2912 1624 Cllkin32.exe Cojhejbh.exe PID 1624 wrote to memory of 2912 1624 Cllkin32.exe Cojhejbh.exe PID 1624 wrote to memory of 2912 1624 Cllkin32.exe Cojhejbh.exe PID 1624 wrote to memory of 2912 1624 Cllkin32.exe Cojhejbh.exe PID 2912 wrote to memory of 1248 2912 Cojhejbh.exe Cmmhaf32.exe PID 2912 wrote to memory of 1248 2912 Cojhejbh.exe Cmmhaf32.exe PID 2912 wrote to memory of 1248 2912 Cojhejbh.exe Cmmhaf32.exe PID 2912 wrote to memory of 1248 2912 Cojhejbh.exe Cmmhaf32.exe PID 1248 wrote to memory of 1484 1248 Cmmhaf32.exe Chcloo32.exe PID 1248 wrote to memory of 1484 1248 Cmmhaf32.exe Chcloo32.exe PID 1248 wrote to memory of 1484 1248 Cmmhaf32.exe Chcloo32.exe PID 1248 wrote to memory of 1484 1248 Cmmhaf32.exe Chcloo32.exe PID 1484 wrote to memory of 808 1484 Chcloo32.exe Comdkipe.exe PID 1484 wrote to memory of 808 1484 Chcloo32.exe Comdkipe.exe PID 1484 wrote to memory of 808 1484 Chcloo32.exe Comdkipe.exe PID 1484 wrote to memory of 808 1484 Chcloo32.exe Comdkipe.exe PID 808 wrote to memory of 2316 808 Comdkipe.exe Cakqgeoi.exe PID 808 wrote to memory of 2316 808 Comdkipe.exe Cakqgeoi.exe PID 808 wrote to memory of 2316 808 Comdkipe.exe Cakqgeoi.exe PID 808 wrote to memory of 2316 808 Comdkipe.exe Cakqgeoi.exe PID 2316 wrote to memory of 1492 2316 Cakqgeoi.exe Cheido32.exe PID 2316 wrote to memory of 1492 2316 Cakqgeoi.exe Cheido32.exe PID 2316 wrote to memory of 1492 2316 Cakqgeoi.exe Cheido32.exe PID 2316 wrote to memory of 1492 2316 Cakqgeoi.exe Cheido32.exe PID 1492 wrote to memory of 1864 1492 Cheido32.exe Ckcepj32.exe PID 1492 wrote to memory of 1864 1492 Cheido32.exe Ckcepj32.exe PID 1492 wrote to memory of 1864 1492 Cheido32.exe Ckcepj32.exe PID 1492 wrote to memory of 1864 1492 Cheido32.exe Ckcepj32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe33⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:480 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe36⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe37⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe38⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe39⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe40⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe41⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe42⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe43⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe44⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe45⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe46⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe47⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe48⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe49⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe50⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe51⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe52⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe53⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe54⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe55⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe57⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe58⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe59⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe60⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe61⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe62⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe63⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe64⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe65⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe66⤵PID:1716
-
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe67⤵PID:1648
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe69⤵PID:2880
-
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe70⤵PID:2804
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe71⤵PID:2632
-
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe72⤵PID:2672
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe73⤵PID:2160
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe74⤵PID:596
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe75⤵PID:1636
-
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe76⤵PID:1552
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe77⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe78⤵PID:2108
-
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe79⤵PID:1644
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe81⤵PID:1556
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe82⤵PID:916
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe83⤵PID:2508
-
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe84⤵PID:2524
-
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe85⤵PID:1608
-
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe86⤵PID:2268
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe87⤵PID:2820
-
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe88⤵PID:2928
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe89⤵PID:2176
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe90⤵PID:680
-
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe91⤵PID:2964
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe92⤵PID:1788
-
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe93⤵PID:2692
-
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe94⤵PID:2348
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe95⤵PID:3004
-
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe96⤵PID:2144
-
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe97⤵PID:1280
-
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe98⤵PID:2228
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe99⤵PID:2864
-
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe100⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe101⤵PID:2328
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe102⤵PID:2300
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe103⤵PID:1816
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe104⤵PID:2636
-
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe105⤵PID:1044
-
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe106⤵PID:956
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe107⤵PID:3028
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe108⤵PID:2064
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe109⤵PID:2988
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe110⤵PID:2740
-
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe111⤵PID:2708
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe112⤵PID:2640
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe113⤵PID:1592
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe114⤵PID:2324
-
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe115⤵PID:444
-
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe116⤵PID:1064
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe117⤵PID:2456
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe118⤵PID:2052
-
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe119⤵PID:2532
-
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe120⤵PID:2344
-
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe121⤵PID:2624
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe122⤵PID:2432
-
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe123⤵PID:784
-
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe124⤵PID:2780
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe125⤵PID:2232
-
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe126⤵PID:1264
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe127⤵PID:2200
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe128⤵PID:1752
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe129⤵PID:2800
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe130⤵PID:604
-
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe131⤵PID:2664
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe132⤵PID:1768
-
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe133⤵
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe134⤵PID:1724
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe135⤵PID:2976
-
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe136⤵PID:2760
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe137⤵PID:2924
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe138⤵PID:620
-
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe139⤵PID:2972
-
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe140⤵PID:1236
-
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe141⤵PID:2564
-
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe142⤵
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe143⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe144⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe145⤵PID:1500
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe147⤵PID:1312
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe148⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe149⤵PID:2396
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe150⤵PID:2648
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe151⤵PID:588
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe152⤵PID:3056
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe153⤵PID:1544
-
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe154⤵PID:1380
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe155⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe157⤵PID:580
-
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe158⤵PID:1796
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe159⤵PID:2500
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe160⤵PID:2920
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe161⤵PID:816
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe162⤵
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe163⤵PID:2076
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe164⤵PID:2668
-
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe165⤵PID:2296
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe166⤵PID:1340
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe167⤵PID:1640
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe168⤵PID:336
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe169⤵PID:264
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe170⤵PID:3016
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe171⤵PID:2968
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe172⤵PID:1612
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe173⤵PID:2380
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe174⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe175⤵PID:2544
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe176⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe177⤵
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe178⤵PID:3136
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe179⤵
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe180⤵PID:3220
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe181⤵PID:3260
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe182⤵PID:3300
-
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe183⤵PID:3340
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe184⤵PID:3380
-
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe185⤵PID:3420
-
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe186⤵PID:3460
-
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe187⤵PID:3500
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe188⤵PID:3540
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe189⤵PID:3580
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe190⤵PID:3620
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe191⤵
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe192⤵PID:3700
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe193⤵PID:3740
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3780 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe195⤵PID:3820
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe196⤵PID:3860
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3900 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe198⤵PID:3940
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe199⤵PID:3980
-
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe200⤵PID:4020
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe201⤵PID:4060
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe202⤵PID:4088
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe203⤵PID:3080
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe204⤵PID:3124
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe205⤵PID:3192
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe206⤵PID:3236
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3272 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe208⤵PID:3328
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe209⤵PID:3372
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe210⤵PID:3436
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe211⤵PID:3484
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe212⤵PID:3528
-
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe213⤵PID:3592
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe214⤵PID:3640
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe215⤵PID:3696
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe216⤵PID:3728
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe217⤵PID:3764
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe218⤵PID:3832
-
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe219⤵PID:3884
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3928 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe221⤵PID:3988
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe222⤵PID:4040
-
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe223⤵PID:4076
-
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe224⤵PID:3128
-
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe225⤵PID:3172
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe226⤵PID:3252
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe227⤵PID:3296
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe228⤵PID:3364
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe229⤵PID:3432
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe230⤵PID:3488
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3556 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe232⤵PID:3628
-
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe233⤵PID:3680
-
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe234⤵PID:3760
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe235⤵PID:3808
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe236⤵PID:3876
-
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe237⤵PID:3924
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe238⤵PID:4000
-
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe239⤵PID:4056
-
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe240⤵PID:3112
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe241⤵
- Drops file in System32 directory
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe242⤵PID:3268