Analysis
-
max time kernel
95s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 10:45
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
96KB
-
MD5
967480ddc7351bf48eac385f300a0e50
-
SHA1
69aa17a8eddc59d8cf7911c8bf9fa82f42dfc02a
-
SHA256
cab08c7ebe98710daa4326a1e937ba85776678e40dc89bb4e1e0d9c72166dc5d
-
SHA512
df59be02c650f947d9021b3c4ac616ac726324597238fac4e7c217db8d023373217968339b860fdf348895e4ff48e32b53bc24a88d0738a400101712919cafb2
-
SSDEEP
1536:b09/AR1M/3ueHscBPDOf3gvs99wP3UNjyRQ+MVR5R45WtqV9R2R462izMg3R7ih9:qoRG3ueMcBPif3gESkjye+6HrtG9MW3H
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Knlleepl.exePpjgoaoj.exeDpehof32.exeNkqkhk32.exeBnhenj32.exeNklbmllg.exeFpejlmcf.exeIcknfcol.exeAogiap32.exeEiahnnph.exeEhlhih32.exeIgedlh32.exeJhijqj32.exeObjpoh32.exePchlpfjb.exeNgqagcag.exeCqpbglno.exePoomegpf.exeLqkgbcff.exeMepfiq32.exeMjokgg32.exeJoiccj32.exeQgnbaj32.exeIinjhh32.exeBaadiiif.exeKflnfcgg.exeMbbagk32.exeOekiqccc.exeHlegnjbm.exeEbimgcfi.exeAgimkk32.exeOlckbd32.exeCjjcfabm.exeHajpbckl.exePknqoc32.exeIpgbdbqb.exeLcgpni32.exeHkdjfb32.exeKeqdmihc.exeMgobel32.exePjmjdm32.exeCgifbhid.exeIohjlmeg.exeEdmclccp.exeAdikdfna.exeOhpkmn32.exeOndljl32.exeBnoddcef.exeCdimqm32.exeBqdblmhl.exeKjmmepfj.exeNnkpnclp.exeMgbefe32.exeLieccf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knlleepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjgoaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpehof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqkhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpejlmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiahnnph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igedlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhijqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Objpoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchlpfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngqagcag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqpbglno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poomegpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joiccj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baadiiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kflnfcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbbagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekiqccc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlegnjbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebimgcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olckbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjjcfabm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajpbckl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcgpni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oekiqccc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgobel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iohjlmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebimgcfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohpkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnoddcef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnkpnclp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbefe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lieccf32.exe -
Executes dropped EXE 64 IoCs
Processes:
Iohjlmeg.exeIfbbig32.exeIhqoeb32.exeIkokan32.exeIbicnh32.exeIickkbje.exeIkaggmii.exeIbkpcg32.exeIghhln32.exeInbqhhfj.exeIeliebnf.exeIkfabm32.exeIndmnh32.exeIfleoe32.exeIijaka32.exeJodjhkkj.exeJbbfdfkn.exeJeqbpb32.exeJilnqqbj.exeJgonlm32.exeJoffnk32.exeJiokfpph.exeJoiccj32.exeJfbkpd32.exeJkodhk32.exeJbileede.exeJpmlnjco.exeJghabl32.exeKelalp32.exeKflnfcgg.exeKbbokdlk.exeKeakgpko.exeKhpgckkb.exeKfqgab32.exeKlmpiiai.exeKnlleepl.exeKefdbo32.exeLhdqnj32.exeLfealaol.exeLfhnaa32.exeLhijijbg.exeLppbkgcj.exeLbnngbbn.exeLemkcnaa.exeLpbopfag.exeLikcilhh.exeLoglacfo.exeLfodbqfa.exeMhppji32.exeMojhgbdl.exeMedqcmki.exeMhbmphjm.exeMolelb32.exeMfcmmp32.exeMibijk32.exeMffjcopi.exeMidfokpm.exeMpnnle32.exeMblkhq32.exeMifcejnj.exeMhicpg32.exeMockmala.exeNemcjk32.exeNhlpfgbb.exepid process 4412 Iohjlmeg.exe 4748 Ifbbig32.exe 5072 Ihqoeb32.exe 4560 Ikokan32.exe 1688 Ibicnh32.exe 3140 Iickkbje.exe 3488 Ikaggmii.exe 4052 Ibkpcg32.exe 1064 Ighhln32.exe 1660 Inbqhhfj.exe 3916 Ieliebnf.exe 4988 Ikfabm32.exe 2044 Indmnh32.exe 4756 Ifleoe32.exe 536 Iijaka32.exe 704 Jodjhkkj.exe 1596 Jbbfdfkn.exe 3224 Jeqbpb32.exe 2148 Jilnqqbj.exe 5028 Jgonlm32.exe 2964 Joffnk32.exe 2432 Jiokfpph.exe 4092 Joiccj32.exe 900 Jfbkpd32.exe 372 Jkodhk32.exe 2332 Jbileede.exe 2504 Jpmlnjco.exe 1208 Jghabl32.exe 3204 Kelalp32.exe 1840 Kflnfcgg.exe 632 Kbbokdlk.exe 4680 Keakgpko.exe 4340 Khpgckkb.exe 3872 Kfqgab32.exe 3148 Klmpiiai.exe 1560 Knlleepl.exe 3304 Kefdbo32.exe 1204 Lhdqnj32.exe 2936 Lfealaol.exe 1096 Lfhnaa32.exe 2896 Lhijijbg.exe 3348 Lppbkgcj.exe 4084 Lbnngbbn.exe 2204 Lemkcnaa.exe 4448 Lpbopfag.exe 3076 Likcilhh.exe 2724 Loglacfo.exe 1600 Lfodbqfa.exe 4528 Mhppji32.exe 4992 Mojhgbdl.exe 736 Medqcmki.exe 1492 Mhbmphjm.exe 2976 Molelb32.exe 4008 Mfcmmp32.exe 3168 Mibijk32.exe 2592 Mffjcopi.exe 3116 Midfokpm.exe 1796 Mpnnle32.exe 5004 Mblkhq32.exe 4596 Mifcejnj.exe 4068 Mhicpg32.exe 3940 Mockmala.exe 1032 Nemcjk32.exe 2792 Nhlpfgbb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Keimof32.exeDamfao32.exeGpfjma32.exeMnpabe32.exeJhlgfj32.exeJdaaaeqg.exeMjlhgaqp.exeBhblllfo.exeCponen32.exeIkfabm32.exePcmlfl32.exeCjgpfk32.exeHbhijepa.exeGdjibj32.exeOjdnid32.exeOhfami32.exePjpobg32.exeHlegnjbm.exeHefnkkkj.exeDblgpl32.exeEbdcld32.exeHoaojp32.exeJgbchj32.exeGmeakf32.exeBmabggdm.exePmaffnce.exeBaadiiif.exeFpimlfke.exeAoofle32.exeBmlilh32.exeFpggamqc.exeIciaqc32.exeOmgcpokp.exeAcpbbi32.exeKiggbhda.exeEmjgim32.exeFealin32.exeOaplqh32.exeLhdqnj32.exeGfheof32.exeAmqhbe32.exeFmikeaap.exePefabkej.exeHdhedh32.exeOhpkmn32.exeEjalcgkg.exeCncnob32.exeOpemca32.exeJnlbojee.exeJgbjbp32.exeCfcjfk32.exeHcmbee32.exeGpqjglii.exeMcqjon32.exeMkmkkjko.exeKpmdfonj.exedescription ioc process File created C:\Windows\SysWOW64\Kjeiodek.exe Keimof32.exe File created C:\Windows\SysWOW64\Hknfelnj.dll Damfao32.exe File opened for modification C:\Windows\SysWOW64\Pcgdhkem.exe File created C:\Windows\SysWOW64\Bgbfaeek.dll Gpfjma32.exe File created C:\Windows\SysWOW64\Manmoq32.exe Mnpabe32.exe File opened for modification C:\Windows\SysWOW64\Jgogbgei.exe Jhlgfj32.exe File created C:\Windows\SysWOW64\Jklinohd.exe Jdaaaeqg.exe File created C:\Windows\SysWOW64\Dkodcb32.dll Mjlhgaqp.exe File created C:\Windows\SysWOW64\Gpojkp32.dll Bhblllfo.exe File created C:\Windows\SysWOW64\Cdkifmjq.exe Cponen32.exe File created C:\Windows\SysWOW64\Kkqdpn32.dll Ikfabm32.exe File created C:\Windows\SysWOW64\Pjgebf32.exe Pcmlfl32.exe File created C:\Windows\SysWOW64\Ngcglo32.dll File created C:\Windows\SysWOW64\Bfdhdp32.dll Cjgpfk32.exe File created C:\Windows\SysWOW64\Pjnppabn.dll Hbhijepa.exe File created C:\Windows\SysWOW64\Icbcjhfb.dll File opened for modification C:\Windows\SysWOW64\Gfheof32.exe Gdjibj32.exe File created C:\Windows\SysWOW64\Omcjep32.exe Ojdnid32.exe File opened for modification C:\Windows\SysWOW64\Ojdnid32.exe Ohfami32.exe File created C:\Windows\SysWOW64\Gnnccl32.exe File created C:\Windows\SysWOW64\Ppjgoaoj.exe Pjpobg32.exe File created C:\Windows\SysWOW64\Cdbbdk32.dll Hlegnjbm.exe File created C:\Windows\SysWOW64\Ogigdpmb.dll Hefnkkkj.exe File created C:\Windows\SysWOW64\Kebncn32.dll Dblgpl32.exe File opened for modification C:\Windows\SysWOW64\Eecphp32.exe Ebdcld32.exe File created C:\Windows\SysWOW64\Hfhgkmpj.exe Hoaojp32.exe File opened for modification C:\Windows\SysWOW64\Jlolpq32.exe Jgbchj32.exe File opened for modification C:\Windows\SysWOW64\Noppeaed.exe File created C:\Windows\SysWOW64\Nkiebg32.dll Gmeakf32.exe File created C:\Windows\SysWOW64\Ioenpjfm.dll Bmabggdm.exe File opened for modification C:\Windows\SysWOW64\Pdkoch32.exe Pmaffnce.exe File opened for modification C:\Windows\SysWOW64\Bhkmec32.exe Baadiiif.exe File created C:\Windows\SysWOW64\Fbgihaji.exe Fpimlfke.exe File created C:\Windows\SysWOW64\Ackbmcjl.exe Aoofle32.exe File created C:\Windows\SysWOW64\Liaolo32.dll Bmlilh32.exe File created C:\Windows\SysWOW64\Ikfhji32.dll Fpggamqc.exe File created C:\Windows\SysWOW64\Pfejnf32.dll Iciaqc32.exe File created C:\Windows\SysWOW64\Ghoqak32.dll Omgcpokp.exe File created C:\Windows\SysWOW64\Hlblcn32.exe File created C:\Windows\SysWOW64\Afnnnd32.exe Acpbbi32.exe File opened for modification C:\Windows\SysWOW64\Kkfcndce.exe Kiggbhda.exe File opened for modification C:\Windows\SysWOW64\Enkdaepb.exe Emjgim32.exe File opened for modification C:\Windows\SysWOW64\Flkdfh32.exe Fealin32.exe File opened for modification C:\Windows\SysWOW64\Ocohmc32.exe Oaplqh32.exe File created C:\Windows\SysWOW64\Gflonn32.dll File created C:\Windows\SysWOW64\Lfealaol.exe Lhdqnj32.exe File created C:\Windows\SysWOW64\Mpggodfg.dll Gfheof32.exe File created C:\Windows\SysWOW64\Lielhgaa.dll Amqhbe32.exe File opened for modification C:\Windows\SysWOW64\Foapaa32.exe File opened for modification C:\Windows\SysWOW64\Fpggamqc.exe Fmikeaap.exe File opened for modification C:\Windows\SysWOW64\Plpjoe32.exe Pefabkej.exe File opened for modification C:\Windows\SysWOW64\Hgfapd32.exe Hdhedh32.exe File created C:\Windows\SysWOW64\Hnnpaa32.dll Ohpkmn32.exe File created C:\Windows\SysWOW64\Elbhjp32.exe Ejalcgkg.exe File created C:\Windows\SysWOW64\Cpkhqmjb.dll Cncnob32.exe File created C:\Windows\SysWOW64\Ollnhb32.exe Opemca32.exe File opened for modification C:\Windows\SysWOW64\Jlobkg32.exe Jnlbojee.exe File opened for modification C:\Windows\SysWOW64\Jnlbojee.exe Jgbjbp32.exe File created C:\Windows\SysWOW64\Njoddaaj.dll Cfcjfk32.exe File created C:\Windows\SysWOW64\Hkdjfb32.exe Hcmbee32.exe File created C:\Windows\SysWOW64\Lejomj32.dll Gpqjglii.exe File created C:\Windows\SysWOW64\Mjkblhfo.exe Mcqjon32.exe File created C:\Windows\SysWOW64\Kbgbpn32.dll Mkmkkjko.exe File created C:\Windows\SysWOW64\Appfnncn.dll Kpmdfonj.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 8180 8516 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Baadiiif.exeGmojkj32.exeNjmqnobn.exeOiihahme.exeKqpoakco.exeObjpoh32.exeDpgnjo32.exeGbdoof32.exeFnnjmbpm.exeKpmdfonj.exeBjcmebie.exeGknkpjfb.exeAhenokjf.exeNjfagf32.exeBpkdjofm.exeEnfckp32.exeHglaej32.exeMaiccajf.exeJbbfdfkn.exeFfpicn32.exeOhiemobf.exeBfngdn32.exeDcnqpo32.exeOmjpeo32.exeLhijijbg.exeAqmlknnd.exeHjhalefe.exeBbnkonbd.exeOdoogi32.exeMlbkap32.exeHkdjfb32.exeIgpdfb32.exeAknifq32.exeFijkdmhn.exeIoolkncg.exeBcahmb32.exeAbponp32.exeCfqmpl32.exeJdaaaeqg.exeNqmfdj32.exeIfbbig32.exePlpqil32.exeAjdjin32.exeDblgpl32.exeDooaoj32.exeBohibc32.exeGlldgljg.exeMgbefe32.exeBppfmigl.exePhfcipoo.exeDoojec32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadiiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmojkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmqnobn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiihahme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqpoakco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgnjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmdfonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcmebie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknkpjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahenokjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpkdjofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enfckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiccajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbfdfkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhijijbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmlknnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhalefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnkonbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijkdmhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioolkncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abponp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfqmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaaaeqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmfdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbbig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glldgljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bppfmigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfcipoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doojec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Afgacokc.exeDhhfedil.exeBoihcf32.exeJjjghcfp.exeEbjcajjd.exeLjaoeini.exeOnapdl32.exePpgegd32.exeEdemkd32.exeIqipio32.exeMcqjon32.exeEokqkh32.exeKlfaapbl.exeMniallpq.exeKkconn32.exeKcndbp32.exeEbfign32.exeJcikgacl.exeEojiqb32.exeCffmfadl.exeFdffbake.exeAagkhd32.exeCjjlkk32.exeNlcalieg.exePpjgoaoj.exeEqdpgk32.exeEdopabqn.exeLmpkadnm.exeDdjmba32.exeCggimh32.exeNhmeapmd.exeLopmii32.exeQhakoa32.exeBmbiamhi.exeNenbjo32.exeOkkdic32.exeLlodgnja.exeKbbokdlk.exeOblmdhdo.exeKpoalo32.exeEiahnnph.exeHpiecd32.exeNjghbl32.exeFjjnifbl.exeMfnoqc32.exeGigheh32.exeJbkbpoog.exeBnhenj32.exeEfblbbqd.exeDcjnoece.exeIinqbn32.exeEbnfbcbc.exeImnocf32.exeAehgnied.exeEmehdh32.exeNclikl32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimehgni.dll" Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjjghcfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljaoeini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll" Ppgegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edemkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcqjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppgif32.dll" Klfaapbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mniallpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekooihip.dll" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdcakkc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcndbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll" Ebfign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cffmfadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll" Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfjipgp.dll" Cjjlkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deohpe32.dll" Ppjgoaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbepb32.dll" Eqdpgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcdkfq32.dll" Edopabqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcmcm32.dll" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll" Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmimp32.dll" Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhebonp.dll" Qhakoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhagaamj.dll" Kbbokdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekhop32.dll" Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll" Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfhllkp.dll" Hpiecd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npodfe32.dll" Fjjnifbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqhgk32.dll" Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklhm32.dll" Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnhenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcjnoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnidao32.dll" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebnfbcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imnocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnadil32.dll" Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihoif32.dll" Emehdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nclikl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeIohjlmeg.exeIfbbig32.exeIhqoeb32.exeIkokan32.exeIbicnh32.exeIickkbje.exeIkaggmii.exeIbkpcg32.exeIghhln32.exeInbqhhfj.exeIeliebnf.exeIkfabm32.exeIndmnh32.exeIfleoe32.exeIijaka32.exeJodjhkkj.exeJbbfdfkn.exeJeqbpb32.exeJilnqqbj.exeJgonlm32.exeJoffnk32.exedescription pid process target process PID 3152 wrote to memory of 4412 3152 Backdoor.Win32.Padodor.SK.exe Iohjlmeg.exe PID 3152 wrote to memory of 4412 3152 Backdoor.Win32.Padodor.SK.exe Iohjlmeg.exe PID 3152 wrote to memory of 4412 3152 Backdoor.Win32.Padodor.SK.exe Iohjlmeg.exe PID 4412 wrote to memory of 4748 4412 Iohjlmeg.exe Ifbbig32.exe PID 4412 wrote to memory of 4748 4412 Iohjlmeg.exe Ifbbig32.exe PID 4412 wrote to memory of 4748 4412 Iohjlmeg.exe Ifbbig32.exe PID 4748 wrote to memory of 5072 4748 Ifbbig32.exe Ihqoeb32.exe PID 4748 wrote to memory of 5072 4748 Ifbbig32.exe Ihqoeb32.exe PID 4748 wrote to memory of 5072 4748 Ifbbig32.exe Ihqoeb32.exe PID 5072 wrote to memory of 4560 5072 Ihqoeb32.exe Ikokan32.exe PID 5072 wrote to memory of 4560 5072 Ihqoeb32.exe Ikokan32.exe PID 5072 wrote to memory of 4560 5072 Ihqoeb32.exe Ikokan32.exe PID 4560 wrote to memory of 1688 4560 Ikokan32.exe Ibicnh32.exe PID 4560 wrote to memory of 1688 4560 Ikokan32.exe Ibicnh32.exe PID 4560 wrote to memory of 1688 4560 Ikokan32.exe Ibicnh32.exe PID 1688 wrote to memory of 3140 1688 Ibicnh32.exe Iickkbje.exe PID 1688 wrote to memory of 3140 1688 Ibicnh32.exe Iickkbje.exe PID 1688 wrote to memory of 3140 1688 Ibicnh32.exe Iickkbje.exe PID 3140 wrote to memory of 3488 3140 Iickkbje.exe Ikaggmii.exe PID 3140 wrote to memory of 3488 3140 Iickkbje.exe Ikaggmii.exe PID 3140 wrote to memory of 3488 3140 Iickkbje.exe Ikaggmii.exe PID 3488 wrote to memory of 4052 3488 Ikaggmii.exe Ibkpcg32.exe PID 3488 wrote to memory of 4052 3488 Ikaggmii.exe Ibkpcg32.exe PID 3488 wrote to memory of 4052 3488 Ikaggmii.exe Ibkpcg32.exe PID 4052 wrote to memory of 1064 4052 Ibkpcg32.exe Ighhln32.exe PID 4052 wrote to memory of 1064 4052 Ibkpcg32.exe Ighhln32.exe PID 4052 wrote to memory of 1064 4052 Ibkpcg32.exe Ighhln32.exe PID 1064 wrote to memory of 1660 1064 Ighhln32.exe Inbqhhfj.exe PID 1064 wrote to memory of 1660 1064 Ighhln32.exe Inbqhhfj.exe PID 1064 wrote to memory of 1660 1064 Ighhln32.exe Inbqhhfj.exe PID 1660 wrote to memory of 3916 1660 Inbqhhfj.exe Ieliebnf.exe PID 1660 wrote to memory of 3916 1660 Inbqhhfj.exe Ieliebnf.exe PID 1660 wrote to memory of 3916 1660 Inbqhhfj.exe Ieliebnf.exe PID 3916 wrote to memory of 4988 3916 Ieliebnf.exe Ikfabm32.exe PID 3916 wrote to memory of 4988 3916 Ieliebnf.exe Ikfabm32.exe PID 3916 wrote to memory of 4988 3916 Ieliebnf.exe Ikfabm32.exe PID 4988 wrote to memory of 2044 4988 Ikfabm32.exe Indmnh32.exe PID 4988 wrote to memory of 2044 4988 Ikfabm32.exe Indmnh32.exe PID 4988 wrote to memory of 2044 4988 Ikfabm32.exe Indmnh32.exe PID 2044 wrote to memory of 4756 2044 Indmnh32.exe Ifleoe32.exe PID 2044 wrote to memory of 4756 2044 Indmnh32.exe Ifleoe32.exe PID 2044 wrote to memory of 4756 2044 Indmnh32.exe Ifleoe32.exe PID 4756 wrote to memory of 536 4756 Ifleoe32.exe Iijaka32.exe PID 4756 wrote to memory of 536 4756 Ifleoe32.exe Iijaka32.exe PID 4756 wrote to memory of 536 4756 Ifleoe32.exe Iijaka32.exe PID 536 wrote to memory of 704 536 Iijaka32.exe Jodjhkkj.exe PID 536 wrote to memory of 704 536 Iijaka32.exe Jodjhkkj.exe PID 536 wrote to memory of 704 536 Iijaka32.exe Jodjhkkj.exe PID 704 wrote to memory of 1596 704 Jodjhkkj.exe Jbbfdfkn.exe PID 704 wrote to memory of 1596 704 Jodjhkkj.exe Jbbfdfkn.exe PID 704 wrote to memory of 1596 704 Jodjhkkj.exe Jbbfdfkn.exe PID 1596 wrote to memory of 3224 1596 Jbbfdfkn.exe Jeqbpb32.exe PID 1596 wrote to memory of 3224 1596 Jbbfdfkn.exe Jeqbpb32.exe PID 1596 wrote to memory of 3224 1596 Jbbfdfkn.exe Jeqbpb32.exe PID 3224 wrote to memory of 2148 3224 Jeqbpb32.exe Jilnqqbj.exe PID 3224 wrote to memory of 2148 3224 Jeqbpb32.exe Jilnqqbj.exe PID 3224 wrote to memory of 2148 3224 Jeqbpb32.exe Jilnqqbj.exe PID 2148 wrote to memory of 5028 2148 Jilnqqbj.exe Jgonlm32.exe PID 2148 wrote to memory of 5028 2148 Jilnqqbj.exe Jgonlm32.exe PID 2148 wrote to memory of 5028 2148 Jilnqqbj.exe Jgonlm32.exe PID 5028 wrote to memory of 2964 5028 Jgonlm32.exe Joffnk32.exe PID 5028 wrote to memory of 2964 5028 Jgonlm32.exe Joffnk32.exe PID 5028 wrote to memory of 2964 5028 Jgonlm32.exe Joffnk32.exe PID 2964 wrote to memory of 2432 2964 Joffnk32.exe Jiokfpph.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe23⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe25⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe26⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe27⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe28⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe29⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe30⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe33⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe34⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe35⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe36⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe38⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe40⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe41⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe43⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe44⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe45⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe46⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe47⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe48⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe49⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe50⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe51⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe52⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe53⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe54⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe55⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe56⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe57⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe58⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe59⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe60⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe61⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe62⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe63⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe64⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe65⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe66⤵PID:2268
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe67⤵PID:2216
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe68⤵PID:1880
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe69⤵PID:3448
-
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe70⤵PID:2220
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe71⤵PID:1140
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe72⤵PID:3432
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe73⤵PID:1844
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe74⤵PID:3280
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe75⤵PID:4304
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe76⤵PID:1180
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe77⤵PID:3620
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4852 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe79⤵PID:3516
-
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe80⤵PID:4056
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe81⤵
- System Location Discovery: System Language Discovery
PID:4488 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe82⤵PID:1788
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe83⤵
- Drops file in System32 directory
PID:3080 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe84⤵PID:1808
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe85⤵PID:2368
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe86⤵
- Drops file in System32 directory
PID:4972 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe88⤵PID:1768
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe89⤵PID:3428
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe90⤵PID:4732
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe91⤵PID:3852
-
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe92⤵PID:5076
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe93⤵
- Drops file in System32 directory
PID:4580 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe94⤵PID:1020
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe95⤵PID:32
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe96⤵PID:2132
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe97⤵PID:2912
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe98⤵PID:3144
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe99⤵PID:2296
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe101⤵PID:3284
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe102⤵PID:2660
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe103⤵PID:3980
-
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe104⤵PID:4828
-
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe105⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe106⤵PID:5176
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe107⤵PID:5220
-
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe108⤵PID:5264
-
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe109⤵PID:5308
-
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe110⤵PID:5352
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe111⤵PID:5396
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe112⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe113⤵PID:5484
-
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe114⤵PID:5528
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe115⤵PID:5572
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe116⤵PID:5616
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe117⤵PID:5652
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe118⤵PID:5696
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe119⤵
- Drops file in System32 directory
PID:5748 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe120⤵PID:5792
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe121⤵PID:5840
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe123⤵PID:5920
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe124⤵PID:5972
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe125⤵PID:6016
-
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe126⤵PID:6060
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe127⤵PID:6104
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe128⤵PID:5132
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe129⤵PID:5228
-
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe130⤵PID:5296
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe131⤵PID:5364
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe132⤵PID:5424
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe133⤵PID:5500
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe134⤵PID:5580
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe135⤵
- System Location Discovery: System Language Discovery
PID:5644 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe136⤵
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe137⤵
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe138⤵PID:5852
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe139⤵PID:5916
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5988 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe141⤵PID:6000
-
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe142⤵PID:3952
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe143⤵PID:5208
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe144⤵PID:5348
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5448 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe146⤵PID:5512
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe147⤵PID:5664
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe148⤵PID:5756
-
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe149⤵PID:5836
-
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe150⤵PID:5968
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe151⤵PID:6048
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe152⤵PID:5144
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe153⤵PID:5316
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe154⤵PID:5564
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe155⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe156⤵PID:5832
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe157⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe158⤵PID:6128
-
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe159⤵PID:5416
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe160⤵PID:5660
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe161⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe162⤵PID:5216
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe163⤵PID:5524
-
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe164⤵PID:6028
-
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe165⤵PID:3888
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe166⤵PID:5912
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5692 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe168⤵PID:5848
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe169⤵PID:6172
-
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe170⤵PID:6216
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe171⤵PID:6256
-
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe172⤵PID:6304
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe173⤵PID:6348
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe174⤵
- Modifies registry class
PID:6392 -
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe175⤵PID:6436
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe176⤵PID:6480
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe177⤵PID:6524
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe178⤵PID:6568
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe179⤵PID:6612
-
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe180⤵PID:6656
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe181⤵PID:6700
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe182⤵PID:6744
-
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe183⤵PID:6788
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6824 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe185⤵PID:6872
-
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe186⤵
- Modifies registry class
PID:6916 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe187⤵
- Modifies registry class
PID:6960 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe188⤵PID:7008
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe189⤵PID:7052
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe190⤵PID:7096
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe191⤵
- System Location Discovery: System Language Discovery
PID:7140 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe192⤵PID:5212
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe193⤵PID:6228
-
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe194⤵PID:6296
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe195⤵PID:6332
-
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe196⤵PID:6444
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe197⤵
- Modifies registry class
PID:6520 -
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe198⤵PID:6576
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe199⤵PID:5812
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe200⤵PID:6696
-
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe201⤵PID:6772
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe202⤵PID:6816
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe203⤵PID:6892
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe204⤵PID:6980
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe205⤵
- Modifies registry class
PID:7040 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe206⤵PID:7112
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe207⤵PID:6148
-
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe208⤵PID:6252
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe209⤵
- Drops file in System32 directory
PID:6424 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe210⤵PID:6600
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe211⤵PID:6760
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe212⤵PID:6860
-
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe213⤵PID:6996
-
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe214⤵
- Drops file in System32 directory
PID:6208 -
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe215⤵PID:6556
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe216⤵PID:6692
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe217⤵PID:6968
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe218⤵PID:6344
-
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe219⤵PID:6808
-
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe220⤵
- System Location Discovery: System Language Discovery
PID:6316 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe221⤵PID:6784
-
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe222⤵PID:6664
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe223⤵PID:6992
-
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7192 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe225⤵PID:7236
-
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe226⤵PID:7280
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe227⤵PID:7320
-
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe228⤵PID:7368
-
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe229⤵PID:7408
-
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe230⤵
- System Location Discovery: System Language Discovery
PID:7452 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe231⤵PID:7496
-
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe232⤵
- System Location Discovery: System Language Discovery
PID:7540 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe233⤵PID:7580
-
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe234⤵PID:7628
-
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe235⤵PID:7668
-
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe236⤵PID:7712
-
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe237⤵PID:7756
-
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe238⤵PID:7796
-
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe239⤵
- Modifies registry class
PID:7844 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe240⤵PID:7884
-
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe241⤵PID:7928
-
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe242⤵PID:7972