Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 11:16
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
80KB
-
MD5
e32c7e642aac26a9f7c650a22241e2e0
-
SHA1
be31fa284f646317f59b7ca292dd2ee76e899f2f
-
SHA256
4e43d404005df45bd6a8cc8d9e6c743ee8bb612740a74f66ff133e8d8ed771b5
-
SHA512
c46f5c8d70387b12011db1e4415aea37d3f9470057ac0736b8281eec69335848ffe72d64381c7a8f7aeb4bc0b262fe621e7197336bd575cf9d61a12377a44ec7
-
SSDEEP
1536:IQoVmgQorsgdU9rlQbIGAJ47taIhOHmBhCt/P6RQBR/RgpMujAYC+O+Y:I3mSESUep8GhCt/P6eBVqLAYC+O+Y
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Elilmi32.exeJobfdl32.exeIljpgl32.exeMlbllc32.exeCnebmgjj.exeGgicbe32.exeOkpkgm32.exeEliecc32.exeBchgnoai.exeKahinkaf.exeNkeipk32.exeFjeibc32.exeHllcfnhm.exeOfjokc32.exePehnboko.exeJejbhk32.exeJgekdq32.exeImhjlb32.exeMdaqhf32.exeNagngjmj.exeGiddddad.exeLoemnnhe.exeDdhhbngi.exeMhkgnkoj.exeApcllk32.exeMoomgl32.exeCfeplh32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jobfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iljpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlbllc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnebmgjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggicbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eliecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bchgnoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahinkaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkeipk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hllcfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjokc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pehnboko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jejbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgekdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imhjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdaqhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagngjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Giddddad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loemnnhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddhhbngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhkgnkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apcllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Moomgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfeplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" -
Executes dropped EXE 64 IoCs
Processes:
Ibdplaho.exeIhaidhgf.exeInkaqb32.exeIdhiii32.exeJnnnfalp.exeJdjfohjg.exeJjdokb32.exeJejbhk32.exeJldkeeig.exeJaqcnl32.exeJdopjh32.exeJnedgq32.exeJeolckne.exeJjnaaa32.exeKahinkaf.exeKbgfhnhi.exeKongmo32.exeKehojiej.exeKlbgfc32.exeKaopoj32.exeKhihld32.exeKkgdhp32.exeKaaldjil.exeKlgqabib.exeLoemnnhe.exeLeoejh32.exeLhmafcnf.exeLbcedmnl.exeLddble32.exeLhpnlclc.exeLedoegkm.exeLbhool32.exeLhdggb32.exeMlbpma32.exeMekdffee.exeMkgmoncl.exeMemalfcb.exeMdbnmbhj.exeMafofggd.exeMkocol32.exeNhbciqln.exeNheqnpjk.exeNkcmjlio.exeNdlacapp.exeNkeipk32.exeNfknmd32.exeNkhfek32.exeNbbnbemf.exeNlgbon32.exeNbdkhe32.exeOljoen32.exeOcdgahag.exeOhqpjo32.exeOcfdgg32.exeOdgqopeb.exeOkailj32.exeOfgmib32.exeOkceaikl.exeObnnnc32.exeOmcbkl32.exeObpkcc32.exePdngpo32.exePkholi32.exePfncia32.exepid process 1016 Ibdplaho.exe 4708 Ihaidhgf.exe 4864 Inkaqb32.exe 3044 Idhiii32.exe 3344 Jnnnfalp.exe 916 Jdjfohjg.exe 4496 Jjdokb32.exe 3032 Jejbhk32.exe 1140 Jldkeeig.exe 3112 Jaqcnl32.exe 3188 Jdopjh32.exe 3120 Jnedgq32.exe 4032 Jeolckne.exe 2212 Jjnaaa32.exe 2516 Kahinkaf.exe 4488 Kbgfhnhi.exe 2924 Kongmo32.exe 1960 Kehojiej.exe 2704 Klbgfc32.exe 4588 Kaopoj32.exe 4088 Khihld32.exe 3152 Kkgdhp32.exe 3340 Kaaldjil.exe 668 Klgqabib.exe 3780 Loemnnhe.exe 3252 Leoejh32.exe 4368 Lhmafcnf.exe 2408 Lbcedmnl.exe 1152 Lddble32.exe 2040 Lhpnlclc.exe 3448 Ledoegkm.exe 32 Lbhool32.exe 4872 Lhdggb32.exe 656 Mlbpma32.exe 4492 Mekdffee.exe 4584 Mkgmoncl.exe 3724 Memalfcb.exe 2612 Mdbnmbhj.exe 3524 Mafofggd.exe 3128 Mkocol32.exe 4740 Nhbciqln.exe 2060 Nheqnpjk.exe 5020 Nkcmjlio.exe 1516 Ndlacapp.exe 4724 Nkeipk32.exe 4948 Nfknmd32.exe 2172 Nkhfek32.exe 772 Nbbnbemf.exe 4800 Nlgbon32.exe 2316 Nbdkhe32.exe 3604 Oljoen32.exe 2756 Ocdgahag.exe 1684 Ohqpjo32.exe 4396 Ocfdgg32.exe 2016 Odgqopeb.exe 736 Okailj32.exe 4428 Ofgmib32.exe 4440 Okceaikl.exe 4868 Obnnnc32.exe 2456 Omcbkl32.exe 4792 Obpkcc32.exe 368 Pdngpo32.exe 2628 Pkholi32.exe 4092 Pfncia32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Khcgfo32.exeCalbnnkj.exeLedoegkm.exeJegohe32.exeCkfofe32.exeDidqkeeq.exePfbfjk32.exeMbbcofpf.exeLpelqj32.exeGglpgd32.exeNnoefagj.exeNlmdml32.exeComddn32.exeGggfme32.exeHgnlmdcp.exeAhngmnnd.exedescription ioc process File created C:\Windows\SysWOW64\Ndolnm32.dll File opened for modification C:\Windows\SysWOW64\Okgfdm32.exe File opened for modification C:\Windows\SysWOW64\Dgpgplej.exe File created C:\Windows\SysWOW64\Qohghlnd.dll File created C:\Windows\SysWOW64\Hfekoc32.exe File created C:\Windows\SysWOW64\Mmfkac32.exe File created C:\Windows\SysWOW64\Mlffgmbd.dll File created C:\Windows\SysWOW64\Khfdlnab.exe Khcgfo32.exe File created C:\Windows\SysWOW64\Bqboal32.dll File created C:\Windows\SysWOW64\Ipabdl32.dll File created C:\Windows\SysWOW64\Gdncfl32.exe File opened for modification C:\Windows\SysWOW64\Ngmpmd32.exe File created C:\Windows\SysWOW64\Ppkdglmg.dll File opened for modification C:\Windows\SysWOW64\Cgejkh32.exe Calbnnkj.exe File opened for modification C:\Windows\SysWOW64\Bkjikd32.exe File created C:\Windows\SysWOW64\Fhjaco32.dll Ledoegkm.exe File opened for modification C:\Windows\SysWOW64\Knjhae32.exe File created C:\Windows\SysWOW64\Hlondh32.dll File created C:\Windows\SysWOW64\Odgohi32.dll File created C:\Windows\SysWOW64\Filhkmch.dll Jegohe32.exe File created C:\Windows\SysWOW64\Abflab32.dll Ckfofe32.exe File created C:\Windows\SysWOW64\Moofmeal.exe File created C:\Windows\SysWOW64\Pbmnlf32.exe File created C:\Windows\SysWOW64\Mldlmdcd.dll File created C:\Windows\SysWOW64\Jnemabne.dll File created C:\Windows\SysWOW64\Nnohfi32.dll File opened for modification C:\Windows\SysWOW64\Dlcmgqdd.exe Didqkeeq.exe File created C:\Windows\SysWOW64\Bgniimhp.dll Pfbfjk32.exe File created C:\Windows\SysWOW64\Pnjbbemd.dll File created C:\Windows\SysWOW64\Nilkkq32.exe Mbbcofpf.exe File created C:\Windows\SysWOW64\Pdhenk32.dll File opened for modification C:\Windows\SysWOW64\Lagekp32.exe File created C:\Windows\SysWOW64\Lfodmdni.exe Lpelqj32.exe File opened for modification C:\Windows\SysWOW64\Hmhhpkcj.exe Gglpgd32.exe File created C:\Windows\SysWOW64\Najagp32.exe Nnoefagj.exe File created C:\Windows\SysWOW64\Nbgljf32.exe Nlmdml32.exe File created C:\Windows\SysWOW64\Odqjnmoo.dll File created C:\Windows\SysWOW64\Fmehmkil.dll File created C:\Windows\SysWOW64\Mpebjb32.exe File opened for modification C:\Windows\SysWOW64\Jookdcie.exe File created C:\Windows\SysWOW64\Cfglahbj.exe Comddn32.exe File opened for modification C:\Windows\SysWOW64\Bjlgnh32.exe File opened for modification C:\Windows\SysWOW64\Gqokekph.exe Gggfme32.exe File opened for modification C:\Windows\SysWOW64\Hfamia32.exe Hgnlmdcp.exe File opened for modification C:\Windows\SysWOW64\Ajodef32.exe Ahngmnnd.exe File opened for modification C:\Windows\SysWOW64\Pehghhgc.exe File created C:\Windows\SysWOW64\Jidoefag.dll File created C:\Windows\SysWOW64\Mhbaol32.dll File created C:\Windows\SysWOW64\Pecefa32.exe File created C:\Windows\SysWOW64\Hiemgadg.dll File created C:\Windows\SysWOW64\Kblpnall.exe File created C:\Windows\SysWOW64\Chjaha32.exe File created C:\Windows\SysWOW64\Lnmnpe32.dll File created C:\Windows\SysWOW64\Bgjoghhk.dll File created C:\Windows\SysWOW64\Gbgbgalj.exe File created C:\Windows\SysWOW64\Lhkghofb.exe File opened for modification C:\Windows\SysWOW64\Fpfppl32.exe File opened for modification C:\Windows\SysWOW64\Ljloii32.exe File opened for modification C:\Windows\SysWOW64\Ncnook32.exe File created C:\Windows\SysWOW64\Lggeej32.exe File created C:\Windows\SysWOW64\Ijcecgnl.exe File opened for modification C:\Windows\SysWOW64\Mpebjb32.exe File created C:\Windows\SysWOW64\Ojjoedfn.exe File created C:\Windows\SysWOW64\Leadag32.dll -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nieoal32.exeOnmahojj.exeOmhpcm32.exeGlqkefff.exeLohggm32.exeKbedaand.exeLfodmdni.exeKclnfi32.exeDkjbgooi.exeIemdkl32.exeLdanloba.exeJlkfbe32.exeJjgcgo32.exeIhlgan32.exeIljpgl32.exeHomcbo32.exeKnfepldb.exeEgbdjhlp.exeNaokbokn.exeCnbfgh32.exeFebogbhg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nieoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmahojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glqkefff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohggm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbedaand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfodmdni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclnfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjbgooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemdkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldanloba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkfbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgcgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihlgan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfepldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbdjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naokbokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnbfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febogbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 64 IoCs
Processes:
Ohpiphlb.exeJjefao32.exeNdjldo32.exeFalmabki.exeAbbiej32.exeEkahhn32.exeIfaepolg.exeJfdafa32.exeHokgmpkl.exeEpgdch32.exeAgcdnjcl.exeEmbdofop.exeGnoacp32.exeBbmbgb32.exeNfjeej32.exeDmmdjp32.exePdlbpldg.exeBpaacblm.exeNkeipk32.exeMikepg32.exeNbdkhe32.exeLlpofd32.exeKehojiej.exeLipmoo32.exeFbqiak32.exeAhinbo32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocadkb32.dll" Ohpiphlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkane32.dll" Jjefao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndjldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Falmabki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abbiej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekahhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnlip32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdgmfhkf.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didhmpdm.dll" Ifaepolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfdafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioakpf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epgdch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agcdnjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Embdofop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnoacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbmbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pibfhink.dll" Nfjeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoknen32.dll" Dmmdjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legngqpa.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnckjif.dll" Pdlbpldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjidgaoa.dll" Bpaacblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplcocfn.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkeipk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mikepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimpafok.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogfcc32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpijjbj.dll" Nbdkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojfaj32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggappk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llpofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kehojiej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjlan32.dll" Lipmoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbqiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahinbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogkooi32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifqikhho.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeIbdplaho.exeIhaidhgf.exeInkaqb32.exeIdhiii32.exeJnnnfalp.exeJdjfohjg.exeJjdokb32.exeJejbhk32.exeJldkeeig.exeJaqcnl32.exeJdopjh32.exeJnedgq32.exeJeolckne.exeJjnaaa32.exeKahinkaf.exeKbgfhnhi.exeKongmo32.exeKehojiej.exeKlbgfc32.exeKaopoj32.exeKhihld32.exedescription pid process target process PID 1740 wrote to memory of 1016 1740 Backdoor.Win32.Padodor.SK.exe Ibdplaho.exe PID 1740 wrote to memory of 1016 1740 Backdoor.Win32.Padodor.SK.exe Ibdplaho.exe PID 1740 wrote to memory of 1016 1740 Backdoor.Win32.Padodor.SK.exe Ibdplaho.exe PID 1016 wrote to memory of 4708 1016 Ibdplaho.exe Ihaidhgf.exe PID 1016 wrote to memory of 4708 1016 Ibdplaho.exe Ihaidhgf.exe PID 1016 wrote to memory of 4708 1016 Ibdplaho.exe Ihaidhgf.exe PID 4708 wrote to memory of 4864 4708 Ihaidhgf.exe Inkaqb32.exe PID 4708 wrote to memory of 4864 4708 Ihaidhgf.exe Inkaqb32.exe PID 4708 wrote to memory of 4864 4708 Ihaidhgf.exe Inkaqb32.exe PID 4864 wrote to memory of 3044 4864 Inkaqb32.exe Idhiii32.exe PID 4864 wrote to memory of 3044 4864 Inkaqb32.exe Idhiii32.exe PID 4864 wrote to memory of 3044 4864 Inkaqb32.exe Idhiii32.exe PID 3044 wrote to memory of 3344 3044 Idhiii32.exe Jnnnfalp.exe PID 3044 wrote to memory of 3344 3044 Idhiii32.exe Jnnnfalp.exe PID 3044 wrote to memory of 3344 3044 Idhiii32.exe Jnnnfalp.exe PID 3344 wrote to memory of 916 3344 Jnnnfalp.exe Jdjfohjg.exe PID 3344 wrote to memory of 916 3344 Jnnnfalp.exe Jdjfohjg.exe PID 3344 wrote to memory of 916 3344 Jnnnfalp.exe Jdjfohjg.exe PID 916 wrote to memory of 4496 916 Jdjfohjg.exe Jjdokb32.exe PID 916 wrote to memory of 4496 916 Jdjfohjg.exe Jjdokb32.exe PID 916 wrote to memory of 4496 916 Jdjfohjg.exe Jjdokb32.exe PID 4496 wrote to memory of 3032 4496 Jjdokb32.exe Jejbhk32.exe PID 4496 wrote to memory of 3032 4496 Jjdokb32.exe Jejbhk32.exe PID 4496 wrote to memory of 3032 4496 Jjdokb32.exe Jejbhk32.exe PID 3032 wrote to memory of 1140 3032 Jejbhk32.exe Jldkeeig.exe PID 3032 wrote to memory of 1140 3032 Jejbhk32.exe Jldkeeig.exe PID 3032 wrote to memory of 1140 3032 Jejbhk32.exe Jldkeeig.exe PID 1140 wrote to memory of 3112 1140 Jldkeeig.exe Jaqcnl32.exe PID 1140 wrote to memory of 3112 1140 Jldkeeig.exe Jaqcnl32.exe PID 1140 wrote to memory of 3112 1140 Jldkeeig.exe Jaqcnl32.exe PID 3112 wrote to memory of 3188 3112 Jaqcnl32.exe Jdopjh32.exe PID 3112 wrote to memory of 3188 3112 Jaqcnl32.exe Jdopjh32.exe PID 3112 wrote to memory of 3188 3112 Jaqcnl32.exe Jdopjh32.exe PID 3188 wrote to memory of 3120 3188 Jdopjh32.exe Jnedgq32.exe PID 3188 wrote to memory of 3120 3188 Jdopjh32.exe Jnedgq32.exe PID 3188 wrote to memory of 3120 3188 Jdopjh32.exe Jnedgq32.exe PID 3120 wrote to memory of 4032 3120 Jnedgq32.exe Jeolckne.exe PID 3120 wrote to memory of 4032 3120 Jnedgq32.exe Jeolckne.exe PID 3120 wrote to memory of 4032 3120 Jnedgq32.exe Jeolckne.exe PID 4032 wrote to memory of 2212 4032 Jeolckne.exe Jjnaaa32.exe PID 4032 wrote to memory of 2212 4032 Jeolckne.exe Jjnaaa32.exe PID 4032 wrote to memory of 2212 4032 Jeolckne.exe Jjnaaa32.exe PID 2212 wrote to memory of 2516 2212 Jjnaaa32.exe Kahinkaf.exe PID 2212 wrote to memory of 2516 2212 Jjnaaa32.exe Kahinkaf.exe PID 2212 wrote to memory of 2516 2212 Jjnaaa32.exe Kahinkaf.exe PID 2516 wrote to memory of 4488 2516 Kahinkaf.exe Kbgfhnhi.exe PID 2516 wrote to memory of 4488 2516 Kahinkaf.exe Kbgfhnhi.exe PID 2516 wrote to memory of 4488 2516 Kahinkaf.exe Kbgfhnhi.exe PID 4488 wrote to memory of 2924 4488 Kbgfhnhi.exe Kongmo32.exe PID 4488 wrote to memory of 2924 4488 Kbgfhnhi.exe Kongmo32.exe PID 4488 wrote to memory of 2924 4488 Kbgfhnhi.exe Kongmo32.exe PID 2924 wrote to memory of 1960 2924 Kongmo32.exe Kehojiej.exe PID 2924 wrote to memory of 1960 2924 Kongmo32.exe Kehojiej.exe PID 2924 wrote to memory of 1960 2924 Kongmo32.exe Kehojiej.exe PID 1960 wrote to memory of 2704 1960 Kehojiej.exe Klbgfc32.exe PID 1960 wrote to memory of 2704 1960 Kehojiej.exe Klbgfc32.exe PID 1960 wrote to memory of 2704 1960 Kehojiej.exe Klbgfc32.exe PID 2704 wrote to memory of 4588 2704 Klbgfc32.exe Kaopoj32.exe PID 2704 wrote to memory of 4588 2704 Klbgfc32.exe Kaopoj32.exe PID 2704 wrote to memory of 4588 2704 Klbgfc32.exe Kaopoj32.exe PID 4588 wrote to memory of 4088 4588 Kaopoj32.exe Khihld32.exe PID 4588 wrote to memory of 4088 4588 Kaopoj32.exe Khihld32.exe PID 4588 wrote to memory of 4088 4588 Kaopoj32.exe Khihld32.exe PID 4088 wrote to memory of 3152 4088 Khihld32.exe Kkgdhp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Jnedgq32.exeC:\Windows\system32\Jnedgq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Kkgdhp32.exeC:\Windows\system32\Kkgdhp32.exe23⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe24⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe25⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe27⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe28⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Lbcedmnl.exeC:\Windows\system32\Lbcedmnl.exe29⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Lddble32.exeC:\Windows\system32\Lddble32.exe30⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe31⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3448 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe33⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe34⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Mlbpma32.exeC:\Windows\system32\Mlbpma32.exe35⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe36⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Mkgmoncl.exeC:\Windows\system32\Mkgmoncl.exe37⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe38⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe39⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe40⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe41⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe42⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe43⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe44⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe45⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe47⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe48⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe49⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe50⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe52⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Ocdgahag.exeC:\Windows\system32\Ocdgahag.exe53⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe54⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe55⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe56⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe57⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Ofgmib32.exeC:\Windows\system32\Ofgmib32.exe58⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe59⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe60⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe61⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe62⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe63⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe64⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe65⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe66⤵PID:4116
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe67⤵PID:1600
-
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe68⤵PID:464
-
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe69⤵PID:400
-
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe70⤵PID:4364
-
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe71⤵PID:3056
-
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe72⤵PID:4696
-
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe73⤵PID:4560
-
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe74⤵PID:5024
-
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe75⤵PID:5048
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe76⤵PID:3484
-
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe77⤵PID:452
-
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe78⤵PID:4280
-
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe79⤵PID:5140
-
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe80⤵PID:5180
-
C:\Windows\SysWOW64\Afnlpohj.exeC:\Windows\system32\Afnlpohj.exe81⤵PID:5220
-
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe82⤵PID:5264
-
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe83⤵PID:5308
-
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe84⤵PID:5364
-
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe85⤵PID:5412
-
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe86⤵PID:5476
-
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe87⤵PID:5540
-
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe88⤵PID:5592
-
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe89⤵PID:5640
-
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe90⤵PID:5724
-
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe91⤵PID:5804
-
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe92⤵PID:5852
-
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe93⤵PID:5892
-
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe94⤵PID:5940
-
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe95⤵PID:5992
-
C:\Windows\SysWOW64\Bflham32.exeC:\Windows\system32\Bflham32.exe96⤵PID:6052
-
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe97⤵PID:6100
-
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe98⤵PID:5128
-
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe99⤵PID:5164
-
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe100⤵PID:5260
-
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe101⤵PID:5320
-
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe102⤵PID:5400
-
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe103⤵PID:5492
-
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe104⤵PID:5580
-
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe105⤵PID:5716
-
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe106⤵PID:5812
-
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe107⤵PID:5876
-
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe108⤵PID:5956
-
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe109⤵PID:6044
-
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe110⤵PID:6132
-
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe111⤵PID:5152
-
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe112⤵PID:5296
-
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe113⤵PID:5380
-
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe114⤵PID:5560
-
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe115⤵PID:5740
-
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe116⤵PID:5904
-
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe117⤵PID:6012
-
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe118⤵PID:6124
-
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe120⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe121⤵PID:5660
-
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe122⤵PID:5952
-
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe123⤵PID:6080
-
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe124⤵PID:5408
-
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe125⤵PID:5792
-
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe126⤵PID:6064
-
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe127⤵PID:5456
-
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe128⤵PID:5868
-
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe129⤵PID:5628
-
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe130⤵PID:5316
-
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe131⤵PID:5656
-
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe132⤵PID:6176
-
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe133⤵PID:6220
-
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe134⤵
- System Location Discovery: System Language Discovery
PID:6264 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe135⤵PID:6308
-
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe136⤵PID:6352
-
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe137⤵PID:6400
-
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe138⤵PID:6444
-
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe139⤵PID:6488
-
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe140⤵PID:6532
-
C:\Windows\SysWOW64\Fjeibc32.exeC:\Windows\system32\Fjeibc32.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6576 -
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe142⤵PID:6620
-
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe143⤵PID:6664
-
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe144⤵PID:6708
-
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe145⤵PID:6756
-
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe146⤵PID:6800
-
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe147⤵PID:6844
-
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe148⤵PID:6888
-
C:\Windows\SysWOW64\Ffpcbchm.exeC:\Windows\system32\Ffpcbchm.exe149⤵PID:6936
-
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe150⤵PID:6984
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe151⤵PID:7052
-
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe152⤵PID:7096
-
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe153⤵PID:7140
-
C:\Windows\SysWOW64\Gddqejni.exeC:\Windows\system32\Gddqejni.exe154⤵PID:6164
-
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe155⤵PID:6232
-
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe156⤵PID:6300
-
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe157⤵PID:6336
-
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe158⤵
- Modifies registry class
PID:6440 -
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe159⤵PID:6508
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe160⤵
- Drops file in System32 directory
PID:6572 -
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe161⤵PID:6660
-
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6692 -
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe163⤵PID:6788
-
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe164⤵
- Drops file in System32 directory
PID:6856 -
C:\Windows\SysWOW64\Hmhhpkcj.exeC:\Windows\system32\Hmhhpkcj.exe165⤵PID:6916
-
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe166⤵PID:7032
-
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe167⤵
- Drops file in System32 directory
PID:7088 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe168⤵PID:5980
-
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe169⤵PID:6252
-
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe170⤵PID:6364
-
C:\Windows\SysWOW64\Hnjaonij.exeC:\Windows\system32\Hnjaonij.exe171⤵PID:6456
-
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe172⤵PID:6588
-
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe173⤵PID:6696
-
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe174⤵PID:6792
-
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe175⤵PID:6912
-
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe176⤵PID:6908
-
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe177⤵PID:7152
-
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe178⤵PID:6272
-
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe179⤵PID:6484
-
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe180⤵PID:6656
-
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe181⤵PID:6784
-
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe182⤵PID:6964
-
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe183⤵PID:7108
-
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe184⤵PID:6388
-
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe185⤵
- Modifies registry class
PID:6628 -
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe186⤵PID:6948
-
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe187⤵PID:6204
-
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe188⤵PID:6568
-
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe189⤵PID:6160
-
C:\Windows\SysWOW64\Iedbcebd.exeC:\Windows\system32\Iedbcebd.exe190⤵PID:6564
-
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe191⤵PID:6500
-
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe192⤵
- Drops file in System32 directory
PID:6552 -
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7176 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe194⤵PID:7220
-
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe195⤵PID:7264
-
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe196⤵PID:7308
-
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe197⤵PID:7356
-
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe198⤵PID:7400
-
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe199⤵PID:7444
-
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe200⤵PID:7488
-
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe201⤵PID:7532
-
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe202⤵PID:7576
-
C:\Windows\SysWOW64\Kfanflne.exeC:\Windows\system32\Kfanflne.exe203⤵PID:7620
-
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe204⤵PID:7664
-
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe205⤵PID:7708
-
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe206⤵PID:7752
-
C:\Windows\SysWOW64\Kaioidkh.exeC:\Windows\system32\Kaioidkh.exe207⤵PID:7796
-
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe208⤵PID:7840
-
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe209⤵
- Drops file in System32 directory
PID:7884 -
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe210⤵PID:7928
-
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe211⤵PID:7972
-
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe212⤵PID:8016
-
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe213⤵PID:8080
-
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe214⤵PID:8160
-
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe215⤵PID:7188
-
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe216⤵PID:7276
-
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe217⤵PID:7380
-
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe218⤵PID:7460
-
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe219⤵PID:7540
-
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe220⤵PID:7612
-
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe221⤵PID:7676
-
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe222⤵PID:7736
-
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe223⤵PID:7828
-
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe224⤵PID:7892
-
C:\Windows\SysWOW64\Ldanloba.exeC:\Windows\system32\Ldanloba.exe225⤵
- System Location Discovery: System Language Discovery
PID:7964 -
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe226⤵PID:8048
-
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe227⤵PID:8168
-
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe228⤵PID:7260
-
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe229⤵PID:7420
-
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe230⤵PID:7520
-
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe231⤵PID:7636
-
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe232⤵PID:7744
-
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe233⤵PID:7860
-
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe234⤵PID:7912
-
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe235⤵PID:8024
-
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe236⤵PID:7256
-
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe237⤵PID:7484
-
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7660 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe239⤵PID:7832
-
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe240⤵PID:7992
-
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe241⤵PID:7212
-
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe242⤵PID:7596