Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 10:42
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
93KB
-
MD5
91849a05f965eb8b47838d3de6311fb0
-
SHA1
e7b434a967d8d8252ee6e140d4a4b8df528f3f49
-
SHA256
4c0acc08421e64177dec2fbb8baf0ad77e427e59c17fe049b85dfef70497a645
-
SHA512
d1f441bff5c59bef2caefa7908511d076aceade8466d4d7a1a17419937f518691cd9b56cdac77d1be0dc4e7a56e053f8f20860b3f669b891dc74783370fddcbe
-
SSDEEP
1536:ejW/8gomh5BvDZPvHhi9pM1Er84JMDpGBuGA35JtpXW9i1Tdjiwg58:+WUgoQ5Bv1HhiC4JMDpffp4i1ZY58
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
Processes:
Fjocbhbo.exeGgccllai.exeGdgdeppb.exeGjcmngnj.exeGggmgk32.exeBackdoor.Win32.Padodor.SK.exeFdbkja32.exeFbfkceca.exeFqikob32.exeGqnejaff.exeFgqgfl32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjocbhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggccllai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgdeppb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjcmngnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Backdoor.Win32.Padodor.SK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbfkceca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqikob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqnejaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjcmngnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgqgfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjocbhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggccllai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gggmgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Backdoor.Win32.Padodor.SK.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgqgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqikob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqnejaff.exe -
Executes dropped EXE 11 IoCs
Processes:
Fdbkja32.exeFgqgfl32.exeFjocbhbo.exeFbfkceca.exeFqikob32.exeGgccllai.exeGdgdeppb.exeGjcmngnj.exeGqnejaff.exeGggmgk32.exeGbmadd32.exepid process 596 Fdbkja32.exe 4860 Fgqgfl32.exe 1156 Fjocbhbo.exe 428 Fbfkceca.exe 616 Fqikob32.exe 992 Ggccllai.exe 540 Gdgdeppb.exe 3744 Gjcmngnj.exe 1604 Gqnejaff.exe 1356 Gggmgk32.exe 1824 Gbmadd32.exe -
Drops file in System32 directory 33 IoCs
Processes:
Fgqgfl32.exeFqikob32.exeBackdoor.Win32.Padodor.SK.exeGdgdeppb.exeGqnejaff.exeGggmgk32.exeFdbkja32.exeFjocbhbo.exeGjcmngnj.exeFbfkceca.exeGgccllai.exedescription ioc process File created C:\Windows\SysWOW64\Fjocbhbo.exe Fgqgfl32.exe File created C:\Windows\SysWOW64\Fohoiloe.dll Fgqgfl32.exe File opened for modification C:\Windows\SysWOW64\Ggccllai.exe Fqikob32.exe File opened for modification C:\Windows\SysWOW64\Fdbkja32.exe Backdoor.Win32.Padodor.SK.exe File created C:\Windows\SysWOW64\Hmcipf32.dll Backdoor.Win32.Padodor.SK.exe File created C:\Windows\SysWOW64\Ggccllai.exe Fqikob32.exe File created C:\Windows\SysWOW64\Paifdeda.dll Gdgdeppb.exe File created C:\Windows\SysWOW64\Gggmgk32.exe Gqnejaff.exe File created C:\Windows\SysWOW64\Hjmgbm32.dll Gggmgk32.exe File created C:\Windows\SysWOW64\Fgqgfl32.exe Fdbkja32.exe File opened for modification C:\Windows\SysWOW64\Fbfkceca.exe Fjocbhbo.exe File created C:\Windows\SysWOW64\Gqnejaff.exe Gjcmngnj.exe File opened for modification C:\Windows\SysWOW64\Gqnejaff.exe Gjcmngnj.exe File opened for modification C:\Windows\SysWOW64\Gbmadd32.exe Gggmgk32.exe File created C:\Windows\SysWOW64\Fbfkceca.exe Fjocbhbo.exe File created C:\Windows\SysWOW64\Fpiedd32.dll Fjocbhbo.exe File created C:\Windows\SysWOW64\Kminigbj.dll Fbfkceca.exe File created C:\Windows\SysWOW64\Ogeigbeb.dll Fqikob32.exe File created C:\Windows\SysWOW64\Gjcmngnj.exe Gdgdeppb.exe File created C:\Windows\SysWOW64\Bhnbgoib.dll Gqnejaff.exe File created C:\Windows\SysWOW64\Fdbkja32.exe Backdoor.Win32.Padodor.SK.exe File opened for modification C:\Windows\SysWOW64\Fqikob32.exe Fbfkceca.exe File opened for modification C:\Windows\SysWOW64\Gggmgk32.exe Gqnejaff.exe File created C:\Windows\SysWOW64\Gdgdeppb.exe Ggccllai.exe File created C:\Windows\SysWOW64\Ckfaapfi.dll Gjcmngnj.exe File created C:\Windows\SysWOW64\Bbjlpn32.dll Ggccllai.exe File created C:\Windows\SysWOW64\Gbmadd32.exe Gggmgk32.exe File created C:\Windows\SysWOW64\Mkhpmopi.dll Fdbkja32.exe File opened for modification C:\Windows\SysWOW64\Gdgdeppb.exe Ggccllai.exe File created C:\Windows\SysWOW64\Fqikob32.exe Fbfkceca.exe File opened for modification C:\Windows\SysWOW64\Gjcmngnj.exe Gdgdeppb.exe File opened for modification C:\Windows\SysWOW64\Fgqgfl32.exe Fdbkja32.exe File opened for modification C:\Windows\SysWOW64\Fjocbhbo.exe Fgqgfl32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3820 1824 WerFault.exe Gbmadd32.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gbmadd32.exeFdbkja32.exeFgqgfl32.exeFqikob32.exeGdgdeppb.exeGjcmngnj.exeGggmgk32.exeBackdoor.Win32.Padodor.SK.exeFjocbhbo.exeFbfkceca.exeGgccllai.exeGqnejaff.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmadd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbkja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgqgfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqikob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgdeppb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjcmngnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Padodor.SK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjocbhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfkceca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggccllai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqnejaff.exe -
Modifies registry class 36 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeFjocbhbo.exeFbfkceca.exeFdbkja32.exeGdgdeppb.exeGjcmngnj.exeGqnejaff.exeGggmgk32.exeFgqgfl32.exeFqikob32.exeGgccllai.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Backdoor.Win32.Padodor.SK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} Backdoor.Win32.Padodor.SK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kminigbj.dll" Fbfkceca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll" Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjcmngnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqnejaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnbgoib.dll" Gqnejaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll" Fdbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll" Gjcmngnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll" Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Backdoor.Win32.Padodor.SK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgqgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeigbeb.dll" Fqikob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjcmngnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll" Backdoor.Win32.Padodor.SK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgqgfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqikob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggccllai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdgdeppb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Backdoor.Win32.Padodor.SK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID Backdoor.Win32.Padodor.SK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll" Fgqgfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqikob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqnejaff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggccllai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll" Ggccllai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdgdeppb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gggmgk32.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeFdbkja32.exeFgqgfl32.exeFjocbhbo.exeFbfkceca.exeFqikob32.exeGgccllai.exeGdgdeppb.exeGjcmngnj.exeGqnejaff.exeGggmgk32.exedescription pid process target process PID 2372 wrote to memory of 596 2372 Backdoor.Win32.Padodor.SK.exe Fdbkja32.exe PID 2372 wrote to memory of 596 2372 Backdoor.Win32.Padodor.SK.exe Fdbkja32.exe PID 2372 wrote to memory of 596 2372 Backdoor.Win32.Padodor.SK.exe Fdbkja32.exe PID 596 wrote to memory of 4860 596 Fdbkja32.exe Fgqgfl32.exe PID 596 wrote to memory of 4860 596 Fdbkja32.exe Fgqgfl32.exe PID 596 wrote to memory of 4860 596 Fdbkja32.exe Fgqgfl32.exe PID 4860 wrote to memory of 1156 4860 Fgqgfl32.exe Fjocbhbo.exe PID 4860 wrote to memory of 1156 4860 Fgqgfl32.exe Fjocbhbo.exe PID 4860 wrote to memory of 1156 4860 Fgqgfl32.exe Fjocbhbo.exe PID 1156 wrote to memory of 428 1156 Fjocbhbo.exe Fbfkceca.exe PID 1156 wrote to memory of 428 1156 Fjocbhbo.exe Fbfkceca.exe PID 1156 wrote to memory of 428 1156 Fjocbhbo.exe Fbfkceca.exe PID 428 wrote to memory of 616 428 Fbfkceca.exe Fqikob32.exe PID 428 wrote to memory of 616 428 Fbfkceca.exe Fqikob32.exe PID 428 wrote to memory of 616 428 Fbfkceca.exe Fqikob32.exe PID 616 wrote to memory of 992 616 Fqikob32.exe Ggccllai.exe PID 616 wrote to memory of 992 616 Fqikob32.exe Ggccllai.exe PID 616 wrote to memory of 992 616 Fqikob32.exe Ggccllai.exe PID 992 wrote to memory of 540 992 Ggccllai.exe Gdgdeppb.exe PID 992 wrote to memory of 540 992 Ggccllai.exe Gdgdeppb.exe PID 992 wrote to memory of 540 992 Ggccllai.exe Gdgdeppb.exe PID 540 wrote to memory of 3744 540 Gdgdeppb.exe Gjcmngnj.exe PID 540 wrote to memory of 3744 540 Gdgdeppb.exe Gjcmngnj.exe PID 540 wrote to memory of 3744 540 Gdgdeppb.exe Gjcmngnj.exe PID 3744 wrote to memory of 1604 3744 Gjcmngnj.exe Gqnejaff.exe PID 3744 wrote to memory of 1604 3744 Gjcmngnj.exe Gqnejaff.exe PID 3744 wrote to memory of 1604 3744 Gjcmngnj.exe Gqnejaff.exe PID 1604 wrote to memory of 1356 1604 Gqnejaff.exe Gggmgk32.exe PID 1604 wrote to memory of 1356 1604 Gqnejaff.exe Gggmgk32.exe PID 1604 wrote to memory of 1356 1604 Gqnejaff.exe Gggmgk32.exe PID 1356 wrote to memory of 1824 1356 Gggmgk32.exe Gbmadd32.exe PID 1356 wrote to memory of 1824 1356 Gggmgk32.exe Gbmadd32.exe PID 1356 wrote to memory of 1824 1356 Gggmgk32.exe Gbmadd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Fgqgfl32.exeC:\Windows\system32\Fgqgfl32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Gdgdeppb.exeC:\Windows\system32\Gdgdeppb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Gqnejaff.exeC:\Windows\system32\Gqnejaff.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Gggmgk32.exeC:\Windows\system32\Gggmgk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Gbmadd32.exeC:\Windows\system32\Gbmadd32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 41213⤵
- Program crash
PID:3820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1824 -ip 18241⤵PID:348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:81⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD560bf10d291474a8103640dfe7b2889ae
SHA144f354fdd524f3ce9126d33eb1d6b26623325276
SHA25641cb36b0927b1e6553e530cdcb65854d0c88c0aad210110e117162a7f63750d2
SHA512ab5beea4ac83fae39388899517862f63199f38e47be5568b5a6a4946e9001993c3803eb58cfdcc6120cbdb001ba80a6c272244959024fc54d65c1e27b337bd8e
-
Filesize
93KB
MD53df4a2391c2f50714d80a199b75c9830
SHA1d2ed0502bf53ce5dad8c2c395aaa2b8cd8701b1e
SHA256f4f28009e73e98b9bfc7583b40d16c13dc6c536d8a242cafbe5f5a7e80ebda92
SHA512c59ea4c488e6cafa7d4e6b763b67fc56af3ef6970ebf2a822ed783e03d8a897a22f14ea9006f526ca0c9dd14903b119314d10be9eac268cabeca745773b488df
-
Filesize
93KB
MD58d90779e8a0857aa62770096a624e4f3
SHA10588832833845b7b282677abd25fefad7fc968a5
SHA25602cc98a49dd77cd8bce7b8cf88b273b16be5a038785a29e4d0848f53ed547563
SHA5126694a6ba7243539d65526bbea3b3dc3ad00d5bca18916050742f96cc2b24dfa0a23566d8d658f7afabfcd9f25b621499b1f07ca09f47c6e265409eca854a5abc
-
Filesize
93KB
MD5665516fd380fdaded6bd89bf0d32e0de
SHA1b03dad89dc4cec3a52cc9bc6ceb2d509c72080aa
SHA2566ee5a024034a1fbda46e7685a064620c50074885978f9fcae2298cd805cd6f0a
SHA512e38291d5ce5c9333354a5581ffd4f992c979fa88f78ceba24b04f9434c46278f0c2cfcd560b5c38c9cdb05b749473d03a55df85af3adc50dbaa6c780fb8f8a45
-
Filesize
93KB
MD5b76356d51203a639488cf720f64f7c65
SHA157bcb5257c26675b6e5d4ce76e4465d1695f0598
SHA256773f83b26c3849f38c3ef63eacccb73973415e6d1f552702917fdffc3dbfe8d2
SHA51268e7d1d5f7b497f56689a5392ad8ab07f07cf90d64b97fbc8d9a20f3a9e4d0cc80ca6f5c0d07f3e956f0ea5aef2453186a928fafe7dec11bdd2a1afef785768e
-
Filesize
93KB
MD58e7d81fddc62c67c5776afaae3c5bea6
SHA1f04716a56759587402051045f8cf20751eaab507
SHA256dfb352fdf0fd446a94b26f682c9d6a419283edd02cd4593ef273e4f641c85144
SHA51227d191fb9166407c0c3174de842a9d25499a15885ca98fe2a4d300aeb9607b6f7a1b8974304b456ba4c0ad9a0cccb88bf458facd9271e9f428c6baca385cc7c3
-
Filesize
93KB
MD54f897d3ea130a798dc27fae283ae8549
SHA1cc0c69ec291279e9c635d0571cadbacc1e4af4a3
SHA256b8a43c8750b11ee35fe6889c5fa4ab6dd481408c59727f6d5f300c6d3134b180
SHA5126fa279b8b4dc340a26e594ee355cc710b1c537859bba4237f0bd7cf4ef000fe1f530ee9955c3ff6cdd3de0b581f94bff7b35df54d941421bd644fb4ce6872238
-
Filesize
93KB
MD510a64ad007eb89cc63b6ae42e359b6d1
SHA19895cd5ffa746fe116c1f3f167f048ab33601c20
SHA256c800aa773cbc4be1df58ac8346e4e697847bf55f38c036107bad701c29e6e908
SHA512e63e91a42eacb3192de8b75543d4b637b2870955332e32f98b696a613869237ad38456473685b77b7ff3672f879a600b9c2630a72b40d84a17d33774c87196d1
-
Filesize
93KB
MD5bc07a70cfc3984b30b86a8c7295df7cb
SHA13908f4296516fd90a18c0a14bb6c7f2834508bf0
SHA256270ba2840b9ff7bf1fea88a3bd6568ed4d12b75508bfb843e7683370a512c98c
SHA512c9a07d8834c898edb5e5b714ee50f52fa7ff6a86d929550f128498ef48a0a45bef03f3ff8f360104c8ca5a3dee58983dcc37d862279bbd4a7235d45be2932a3f
-
Filesize
93KB
MD59ffd791e6213af24de3ad015f511ae9a
SHA19056315ec3824e29ea604ecc4ab4f6d5406ff3d0
SHA256573f5022530894f2bffcbba85266ee3098883b90a2b03b04d40d8e435f4ea13b
SHA51239c56d9fcfee7014ffa43c8bcdad7cfce3034850a4b150af11587de50cf5fe5b39df2c68118544f9213d151ce42144791eb542c0ea033479d105a8afd090c63c
-
Filesize
93KB
MD5e6a095a46f29e7bae299018cbfb80f27
SHA1f7d67331e186572f9fa0ce6c20ae09d18b5144f5
SHA25641abf7e9cbb1460233bdac5aaff953a93e88100fa918826b960c4e7e003047a7
SHA512ebffc38d5fb716312787e32745db37c6d43efdd21ff3e26898ab7cd1a57b6c9b7067cd5d435328f8dbd579ecd55c517ebe6f2b78ba30ffa4835348dc20949147
-
Filesize
7KB
MD5b896b5420fff95ea3df3a16660379c84
SHA167a6930c03994bd8790ee3c1496490d3806756c7
SHA256d05fd428fb023841975fd4f935aa38683e05fbf54eebe623976b96bfcacf1cbb
SHA512e67acf946161194707b4ef4f9d5056c3ae716ec0c54bfe1aedbba921f3907f16ac9e19f60a5ae8ca08f4f3ae94e5aa3dd5447a112aedc3d102450592a72ae7d8