Analysis
-
max time kernel
104s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:20
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
93KB
-
MD5
7b0cb9664661f27b6a0c947abd85ce70
-
SHA1
52b6e77032b45343d949962681412e20b9224949
-
SHA256
302e99c188ae1ebd965821e7db1ffa019554ae9ba29367eb2c2c8556ba006204
-
SHA512
2a5faa160560c68131534608416591afd21d70d50015741bd251c6361a68bc073b581c014da54367542e5dd7b8ca173011ee1319d292276c793e0b735ae84d66
-
SSDEEP
1536:fjya++lGlLCp1tN0OIkKrM59rqTzRKZLJdTTnjiwg58:rya++4lOD0w0M59rqvRKZLJB3Y58
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Knkkngol.exeGljdlq32.exeIiekkdjo.exeAmaiklki.exeIqgofo32.exeFniikj32.exeMboekp32.exeEkeiel32.exeBgndnd32.exeEmdjbi32.exeJgllof32.exePfkkhmjn.exeChccfe32.exeHbfalpab.exeMbiokdam.exeFlkohc32.exeNbegonmd.exeQdfhlggl.exeEgbffj32.exeNdcnik32.exeGefjlg32.exeEiipfbgj.exeLaccdp32.exeMmaghc32.exeMcghcgfb.exeDmiihjak.exePpkahi32.exeKjfhgp32.exeJlmddi32.exePahjgb32.exeNjjbjk32.exeKmkodd32.exeLhiodnob.exeCijkaehj.exeLokpcekn.exeOglfodai.exeNamebk32.exeEojbii32.exeEedjfchi.exeKkdnke32.exeImfgahao.exeMojdlm32.exeQiqpmp32.exeIhedan32.exeJccjln32.exeEqjceidf.exeLmppmi32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkkngol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gljdlq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiekkdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaiklki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqgofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fniikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mboekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeiel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgndnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emdjbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfkkhmjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chccfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfalpab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbiokdam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbegonmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdfhlggl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egbffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndcnik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefjlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiipfbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laccdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmaghc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcghcgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmiihjak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkahi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjfhgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pahjgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmkodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiodnob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cijkaehj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokpcekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oglfodai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eojbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eedjfchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkdnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imfgahao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mojdlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiqpmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihedan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jccjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqjceidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmppmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" -
Executes dropped EXE 64 IoCs
Processes:
Ahllda32.exeAgaifnhi.exeAmpncd32.exeBmbkid32.exeBiikne32.exeBmgddcnf.exeBineidcj.exeBjanfl32.exeCnogmk32.exeCfkkam32.exeCabldeik.exeCcceeqfl.exeDfdngl32.exeDanohi32.exeDoapanne.exeDabicikf.exeDmiihjak.exeEmkfmioh.exeEibgbj32.exeEdhkpcdb.exeEpnldd32.exeEhjqif32.exeEkjikadb.exeFagnmkjm.exeFhqfie32.exeFhccoe32.exeFcmdpcle.exeGfmmanif.exeGqcaoghl.exeGqendf32.exeGojkecka.exeGicpnhbb.exeGnphfppi.exeHenjnica.exeHngngo32.exeHfbckagm.exeHgaoec32.exeIbbffq32.exeIniglajj.exeJjbdfbnl.exeJhfepfme.exeJmbnhm32.exeJlhjijpe.exeJmggcmgg.exeJgpklb32.exeJlmddi32.exeKeehmobp.exeKkaaee32.exeKegebn32.exeKkdnke32.exeKgknpfdi.exeKobfqc32.exeKdooij32.exeKkigfdjo.exeKabobo32.exeLjndga32.exeLdchdjom.exeLfedlb32.exeLcieef32.exeLhenmm32.exeLfingaaf.exeLlcfck32.exeLbpolb32.exeLhjghlng.exepid process 2728 Ahllda32.exe 2888 Agaifnhi.exe 2644 Ampncd32.exe 2896 Bmbkid32.exe 2636 Biikne32.exe 3052 Bmgddcnf.exe 2524 Bineidcj.exe 2468 Bjanfl32.exe 2624 Cnogmk32.exe 1532 Cfkkam32.exe 2420 Cabldeik.exe 2016 Ccceeqfl.exe 2816 Dfdngl32.exe 2428 Danohi32.exe 976 Doapanne.exe 824 Dabicikf.exe 1172 Dmiihjak.exe 1020 Emkfmioh.exe 1804 Eibgbj32.exe 1628 Edhkpcdb.exe 940 Epnldd32.exe 916 Ehjqif32.exe 2380 Ekjikadb.exe 472 Fagnmkjm.exe 3016 Fhqfie32.exe 1596 Fhccoe32.exe 2740 Fcmdpcle.exe 2884 Gfmmanif.exe 2968 Gqcaoghl.exe 2828 Gqendf32.exe 2656 Gojkecka.exe 2620 Gicpnhbb.exe 388 Gnphfppi.exe 2564 Henjnica.exe 2908 Hngngo32.exe 2952 Hfbckagm.exe 1640 Hgaoec32.exe 1136 Ibbffq32.exe 2260 Iniglajj.exe 2456 Jjbdfbnl.exe 2244 Jhfepfme.exe 2232 Jmbnhm32.exe 1000 Jlhjijpe.exe 1860 Jmggcmgg.exe 1568 Jgpklb32.exe 1460 Jlmddi32.exe 3004 Keehmobp.exe 2980 Kkaaee32.exe 1968 Kegebn32.exe 2824 Kkdnke32.exe 1592 Kgknpfdi.exe 2768 Kobfqc32.exe 2836 Kdooij32.exe 2648 Kkigfdjo.exe 632 Kabobo32.exe 3048 Ljndga32.exe 1680 Ldchdjom.exe 2320 Lfedlb32.exe 1068 Lcieef32.exe 936 Lhenmm32.exe 2316 Lfingaaf.exe 2148 Llcfck32.exe 2296 Lbpolb32.exe 1928 Lhjghlng.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeAhllda32.exeAgaifnhi.exeAmpncd32.exeBmbkid32.exeBiikne32.exeBmgddcnf.exeBineidcj.exeBjanfl32.exeCnogmk32.exeCfkkam32.exeCabldeik.exeCcceeqfl.exeDfdngl32.exeDanohi32.exeDoapanne.exeDabicikf.exeDmiihjak.exeEmkfmioh.exeEibgbj32.exeEdhkpcdb.exeEpnldd32.exeEhjqif32.exeEkjikadb.exeFagnmkjm.exeFhqfie32.exeFhccoe32.exeFcmdpcle.exeGfmmanif.exeGqcaoghl.exeGqendf32.exeGojkecka.exepid process 2716 Backdoor.Win32.Padodor.SK.exe 2716 Backdoor.Win32.Padodor.SK.exe 2728 Ahllda32.exe 2728 Ahllda32.exe 2888 Agaifnhi.exe 2888 Agaifnhi.exe 2644 Ampncd32.exe 2644 Ampncd32.exe 2896 Bmbkid32.exe 2896 Bmbkid32.exe 2636 Biikne32.exe 2636 Biikne32.exe 3052 Bmgddcnf.exe 3052 Bmgddcnf.exe 2524 Bineidcj.exe 2524 Bineidcj.exe 2468 Bjanfl32.exe 2468 Bjanfl32.exe 2624 Cnogmk32.exe 2624 Cnogmk32.exe 1532 Cfkkam32.exe 1532 Cfkkam32.exe 2420 Cabldeik.exe 2420 Cabldeik.exe 2016 Ccceeqfl.exe 2016 Ccceeqfl.exe 2816 Dfdngl32.exe 2816 Dfdngl32.exe 2428 Danohi32.exe 2428 Danohi32.exe 976 Doapanne.exe 976 Doapanne.exe 824 Dabicikf.exe 824 Dabicikf.exe 1172 Dmiihjak.exe 1172 Dmiihjak.exe 1020 Emkfmioh.exe 1020 Emkfmioh.exe 1804 Eibgbj32.exe 1804 Eibgbj32.exe 1628 Edhkpcdb.exe 1628 Edhkpcdb.exe 940 Epnldd32.exe 940 Epnldd32.exe 916 Ehjqif32.exe 916 Ehjqif32.exe 2380 Ekjikadb.exe 2380 Ekjikadb.exe 472 Fagnmkjm.exe 472 Fagnmkjm.exe 3016 Fhqfie32.exe 3016 Fhqfie32.exe 1596 Fhccoe32.exe 1596 Fhccoe32.exe 2740 Fcmdpcle.exe 2740 Fcmdpcle.exe 2884 Gfmmanif.exe 2884 Gfmmanif.exe 2968 Gqcaoghl.exe 2968 Gqcaoghl.exe 2828 Gqendf32.exe 2828 Gqendf32.exe 2656 Gojkecka.exe 2656 Gojkecka.exe -
Drops file in System32 directory 64 IoCs
Processes:
Amaiklki.exeQipmdhcj.exeKcjcefbd.exeEgdnjlcg.exeHjcajn32.exeDdoiei32.exePldobjec.exeEojbii32.exeKabobo32.exeFmkpchmp.exeGflcplhh.exeBiikne32.exeHhhkbqea.exeIfoljn32.exePfkkhmjn.exeCkdlgq32.exeDpnmoe32.exeKdmehh32.exePfhlie32.exeHincna32.exeBjnjfffm.exeEcnpgj32.exeGmcogf32.exeEojoelcm.exeOqibjq32.exeBhfjgh32.exeBnkbcmaj.exeElfakg32.exeAnpekggc.exeHcghffen.exeCncmei32.exeEkeiel32.exeMhmfgdch.exeCfjgopop.exeGpbkca32.exeAlcqcjgd.exeOblmom32.exeMegkgpaq.exeKdooij32.exeMchadifq.exeNbaafocg.exeBfkbfg32.exedescription ioc process File created C:\Windows\SysWOW64\Opjdhb32.dll Amaiklki.exe File created C:\Windows\SysWOW64\Klbmjnpk.dll Qipmdhcj.exe File created C:\Windows\SysWOW64\Kjdkap32.exe Kcjcefbd.exe File created C:\Windows\SysWOW64\Ehfjbd32.exe Egdnjlcg.exe File created C:\Windows\SysWOW64\Kedonn32.dll File created C:\Windows\SysWOW64\Ieiegf32.exe Hjcajn32.exe File created C:\Windows\SysWOW64\Ekiaac32.exe Ddoiei32.exe File created C:\Windows\SysWOW64\Cbacjdbg.dll Pldobjec.exe File created C:\Windows\SysWOW64\Eedjfchi.exe Eojbii32.exe File opened for modification C:\Windows\SysWOW64\Palgek32.exe File created C:\Windows\SysWOW64\Gilikd32.dll Kabobo32.exe File opened for modification C:\Windows\SysWOW64\Fibqhibd.exe Fmkpchmp.exe File opened for modification C:\Windows\SysWOW64\Ckklfoah.exe File created C:\Windows\SysWOW64\Gmflmfpe.exe Gflcplhh.exe File opened for modification C:\Windows\SysWOW64\Cmocjn32.exe File created C:\Windows\SysWOW64\Bmgddcnf.exe Biikne32.exe File created C:\Windows\SysWOW64\Hdolga32.exe Hhhkbqea.exe File opened for modification C:\Windows\SysWOW64\Efkfbp32.exe File opened for modification C:\Windows\SysWOW64\Oijnib32.exe File created C:\Windows\SysWOW64\Ckifmh32.dll Ifoljn32.exe File created C:\Windows\SysWOW64\Pmecdgbk.exe Pfkkhmjn.exe File opened for modification C:\Windows\SysWOW64\Cpadpg32.exe Ckdlgq32.exe File created C:\Windows\SysWOW64\Bbeaaiga.dll Dpnmoe32.exe File created C:\Windows\SysWOW64\Ofefhikk.dll Kdmehh32.exe File created C:\Windows\SysWOW64\Ofdqpj32.dll File opened for modification C:\Windows\SysWOW64\Pmbdfolj.exe Pfhlie32.exe File created C:\Windows\SysWOW64\Hlmpjl32.exe Hincna32.exe File opened for modification C:\Windows\SysWOW64\Lijinaed.exe File created C:\Windows\SysWOW64\Nngjbfpa.exe File created C:\Windows\SysWOW64\Mocjdm32.dll File created C:\Windows\SysWOW64\Efcefndb.exe File created C:\Windows\SysWOW64\Kjgkiddo.dll Bjnjfffm.exe File created C:\Windows\SysWOW64\Fabppo32.exe Ecnpgj32.exe File opened for modification C:\Windows\SysWOW64\Gpbkca32.exe Gmcogf32.exe File created C:\Windows\SysWOW64\Eolljk32.exe Eojoelcm.exe File created C:\Windows\SysWOW64\Lkneko32.dll Oqibjq32.exe File opened for modification C:\Windows\SysWOW64\Mqkked32.exe File created C:\Windows\SysWOW64\Dhnlfhhj.dll File created C:\Windows\SysWOW64\Bncboo32.exe Bhfjgh32.exe File created C:\Windows\SysWOW64\Ecnfbaka.dll Bnkbcmaj.exe File opened for modification C:\Windows\SysWOW64\Fflehp32.exe Elfakg32.exe File created C:\Windows\SysWOW64\Afgmldhe.exe Anpekggc.exe File opened for modification C:\Windows\SysWOW64\Ilolol32.exe Hcghffen.exe File opened for modification C:\Windows\SysWOW64\Ckgmon32.exe Cncmei32.exe File created C:\Windows\SysWOW64\Fpggcbki.dll Ekeiel32.exe File created C:\Windows\SysWOW64\Anbcio32.exe File created C:\Windows\SysWOW64\Mlnpen32.dll File created C:\Windows\SysWOW64\Ancfbhdh.exe File created C:\Windows\SysWOW64\Bjopbh32.exe File opened for modification C:\Windows\SysWOW64\Mognco32.exe Mhmfgdch.exe File created C:\Windows\SysWOW64\Ckgogfmg.exe Cfjgopop.exe File opened for modification C:\Windows\SysWOW64\Gflcplhh.exe Gpbkca32.exe File created C:\Windows\SysWOW64\Anepooja.exe File opened for modification C:\Windows\SysWOW64\Aapikqel.exe Alcqcjgd.exe File opened for modification C:\Windows\SysWOW64\Oncndnlq.exe Oblmom32.exe File opened for modification C:\Windows\SysWOW64\Mpmpeiqg.exe Megkgpaq.exe File created C:\Windows\SysWOW64\Gndgmq32.exe File opened for modification C:\Windows\SysWOW64\Kkigfdjo.exe Kdooij32.exe File opened for modification C:\Windows\SysWOW64\Mnneabff.exe Mchadifq.exe File opened for modification C:\Windows\SysWOW64\Cfimnmoa.exe File opened for modification C:\Windows\SysWOW64\Cbhahigb.exe File created C:\Windows\SysWOW64\Fafimjhf.exe File created C:\Windows\SysWOW64\Gdfpegkn.dll Nbaafocg.exe File created C:\Windows\SysWOW64\Jjcfbigh.dll Bfkbfg32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 5668 4112 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nfppfcmj.exeLepfoe32.exeMnpbgbdd.exeEmnelbdi.exeJnncoini.exeHgmhcm32.exeDoipoldo.exeIldhcd32.exeFbflfomj.exeIobdopna.exeEkblplgo.exeDkookd32.exeGljfeimi.exeOqibjq32.exeDnkggjpj.exeEhiiop32.exeQbggqfca.exeLgpkobnb.exeAnigaeoh.exeBmndbb32.exePockoeeg.exeLlcfck32.exeNnkekfkd.exeEaegaaah.exeFadmenpg.exeGdchifik.exeBiikne32.exeFcmdpcle.exeEojoelcm.exeBjlnaghp.exeFcegdnna.exeKpcngnob.exeMboekp32.exeGpbkca32.exeGjkeii32.exeGqenfc32.exeNqgngk32.exeCclkcdpl.exeDdoiei32.exeEpkgkfmd.exeFbchfi32.exeCbjbof32.exePbppqf32.exeKamncagl.exeLgcooh32.exeOohoeg32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfppfcmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepfoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpbgbdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnelbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnncoini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmhcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doipoldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ildhcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbflfomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iobdopna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekblplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkookd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljfeimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqibjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkggjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehiiop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbggqfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpkobnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anigaeoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmndbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pockoeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcfck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkekfkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaegaaah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadmenpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdchifik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biikne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdpcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojoelcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcegdnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcngnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mboekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqenfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqgngk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclkcdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddoiei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkgkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbchfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjbof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbppqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamncagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohoeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Gemhpq32.exeGdedoegh.exeEpcomc32.exeAbgeiaaf.exeCkoblapc.exeCabldeik.exeLddjmb32.exeAelgdhei.exeEfbbba32.exeCmkkhfmn.exeAjkokgia.exeEhechn32.exeOnmgeb32.exeLblhep32.exeChldbl32.exeIobbfggm.exePmjohoej.exeEphihbnm.exeHngngo32.exeLhgeao32.exeNlgfbh32.exeJodmdboj.exeNfhpjaba.exeQpnkjq32.exeBlkoocfl.exeAlmmlg32.exeJggiah32.exeLlagegfb.exeMpjgag32.exeOpkpme32.exeGbbdemnl.exeGbmdpg32.exeFlkohc32.exeLkfbmj32.exeHbfalpab.exeAogqihcm.exeBqciha32.exePbjoaibo.exeBpdgolml.exeGaffja32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjjknmn.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opebop32.dll" Gemhpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdedoegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epcomc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfhilpd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abgeiaaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckoblapc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdempe32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cabldeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biqghigf.dll" Lddjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aelgdhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efbbba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmkkhfmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajkokgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehechn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onmgeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lblhep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhcmd32.dll" Chldbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iobbfggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnqmeo32.dll" Pmjohoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ephihbnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknigc32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hngngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdpndec.dll" Lhgeao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlgfbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jodmdboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfhpjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpnkjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blkoocfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfigmch.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Almmlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jggiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immcccdb.dll" Llagegfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpjgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlfolad.dll" Gbbdemnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbmdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglknfoo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkfbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhgfh32.dll" Hbfalpab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgephkni.dll" Aogqihcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihikk32.dll" Bqciha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbjoaibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehpljpaj.dll" Bpdgolml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgaahp32.dll" Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbmdpg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Padodor.SK.exeAhllda32.exeAgaifnhi.exeAmpncd32.exeBmbkid32.exeBiikne32.exeBmgddcnf.exeBineidcj.exeBjanfl32.exeCnogmk32.exeCfkkam32.exeCabldeik.exeCcceeqfl.exeDfdngl32.exeDanohi32.exeDoapanne.exedescription pid process target process PID 2716 wrote to memory of 2728 2716 Backdoor.Win32.Padodor.SK.exe Ahllda32.exe PID 2716 wrote to memory of 2728 2716 Backdoor.Win32.Padodor.SK.exe Ahllda32.exe PID 2716 wrote to memory of 2728 2716 Backdoor.Win32.Padodor.SK.exe Ahllda32.exe PID 2716 wrote to memory of 2728 2716 Backdoor.Win32.Padodor.SK.exe Ahllda32.exe PID 2728 wrote to memory of 2888 2728 Ahllda32.exe Agaifnhi.exe PID 2728 wrote to memory of 2888 2728 Ahllda32.exe Agaifnhi.exe PID 2728 wrote to memory of 2888 2728 Ahllda32.exe Agaifnhi.exe PID 2728 wrote to memory of 2888 2728 Ahllda32.exe Agaifnhi.exe PID 2888 wrote to memory of 2644 2888 Agaifnhi.exe Ampncd32.exe PID 2888 wrote to memory of 2644 2888 Agaifnhi.exe Ampncd32.exe PID 2888 wrote to memory of 2644 2888 Agaifnhi.exe Ampncd32.exe PID 2888 wrote to memory of 2644 2888 Agaifnhi.exe Ampncd32.exe PID 2644 wrote to memory of 2896 2644 Ampncd32.exe Bmbkid32.exe PID 2644 wrote to memory of 2896 2644 Ampncd32.exe Bmbkid32.exe PID 2644 wrote to memory of 2896 2644 Ampncd32.exe Bmbkid32.exe PID 2644 wrote to memory of 2896 2644 Ampncd32.exe Bmbkid32.exe PID 2896 wrote to memory of 2636 2896 Bmbkid32.exe Biikne32.exe PID 2896 wrote to memory of 2636 2896 Bmbkid32.exe Biikne32.exe PID 2896 wrote to memory of 2636 2896 Bmbkid32.exe Biikne32.exe PID 2896 wrote to memory of 2636 2896 Bmbkid32.exe Biikne32.exe PID 2636 wrote to memory of 3052 2636 Biikne32.exe Bmgddcnf.exe PID 2636 wrote to memory of 3052 2636 Biikne32.exe Bmgddcnf.exe PID 2636 wrote to memory of 3052 2636 Biikne32.exe Bmgddcnf.exe PID 2636 wrote to memory of 3052 2636 Biikne32.exe Bmgddcnf.exe PID 3052 wrote to memory of 2524 3052 Bmgddcnf.exe Bineidcj.exe PID 3052 wrote to memory of 2524 3052 Bmgddcnf.exe Bineidcj.exe PID 3052 wrote to memory of 2524 3052 Bmgddcnf.exe Bineidcj.exe PID 3052 wrote to memory of 2524 3052 Bmgddcnf.exe Bineidcj.exe PID 2524 wrote to memory of 2468 2524 Bineidcj.exe Bjanfl32.exe PID 2524 wrote to memory of 2468 2524 Bineidcj.exe Bjanfl32.exe PID 2524 wrote to memory of 2468 2524 Bineidcj.exe Bjanfl32.exe PID 2524 wrote to memory of 2468 2524 Bineidcj.exe Bjanfl32.exe PID 2468 wrote to memory of 2624 2468 Bjanfl32.exe Cnogmk32.exe PID 2468 wrote to memory of 2624 2468 Bjanfl32.exe Cnogmk32.exe PID 2468 wrote to memory of 2624 2468 Bjanfl32.exe Cnogmk32.exe PID 2468 wrote to memory of 2624 2468 Bjanfl32.exe Cnogmk32.exe PID 2624 wrote to memory of 1532 2624 Cnogmk32.exe Cfkkam32.exe PID 2624 wrote to memory of 1532 2624 Cnogmk32.exe Cfkkam32.exe PID 2624 wrote to memory of 1532 2624 Cnogmk32.exe Cfkkam32.exe PID 2624 wrote to memory of 1532 2624 Cnogmk32.exe Cfkkam32.exe PID 1532 wrote to memory of 2420 1532 Cfkkam32.exe Cabldeik.exe PID 1532 wrote to memory of 2420 1532 Cfkkam32.exe Cabldeik.exe PID 1532 wrote to memory of 2420 1532 Cfkkam32.exe Cabldeik.exe PID 1532 wrote to memory of 2420 1532 Cfkkam32.exe Cabldeik.exe PID 2420 wrote to memory of 2016 2420 Cabldeik.exe Ccceeqfl.exe PID 2420 wrote to memory of 2016 2420 Cabldeik.exe Ccceeqfl.exe PID 2420 wrote to memory of 2016 2420 Cabldeik.exe Ccceeqfl.exe PID 2420 wrote to memory of 2016 2420 Cabldeik.exe Ccceeqfl.exe PID 2016 wrote to memory of 2816 2016 Ccceeqfl.exe Dfdngl32.exe PID 2016 wrote to memory of 2816 2016 Ccceeqfl.exe Dfdngl32.exe PID 2016 wrote to memory of 2816 2016 Ccceeqfl.exe Dfdngl32.exe PID 2016 wrote to memory of 2816 2016 Ccceeqfl.exe Dfdngl32.exe PID 2816 wrote to memory of 2428 2816 Dfdngl32.exe Danohi32.exe PID 2816 wrote to memory of 2428 2816 Dfdngl32.exe Danohi32.exe PID 2816 wrote to memory of 2428 2816 Dfdngl32.exe Danohi32.exe PID 2816 wrote to memory of 2428 2816 Dfdngl32.exe Danohi32.exe PID 2428 wrote to memory of 976 2428 Danohi32.exe Doapanne.exe PID 2428 wrote to memory of 976 2428 Danohi32.exe Doapanne.exe PID 2428 wrote to memory of 976 2428 Danohi32.exe Doapanne.exe PID 2428 wrote to memory of 976 2428 Danohi32.exe Doapanne.exe PID 976 wrote to memory of 824 976 Doapanne.exe Dabicikf.exe PID 976 wrote to memory of 824 976 Doapanne.exe Dabicikf.exe PID 976 wrote to memory of 824 976 Doapanne.exe Dabicikf.exe PID 976 wrote to memory of 824 976 Doapanne.exe Dabicikf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Epnldd32.exeC:\Windows\system32\Epnldd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Ekjikadb.exeC:\Windows\system32\Ekjikadb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Fhqfie32.exeC:\Windows\system32\Fhqfie32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Gfmmanif.exeC:\Windows\system32\Gfmmanif.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Gqcaoghl.exeC:\Windows\system32\Gqcaoghl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Gicpnhbb.exeC:\Windows\system32\Gicpnhbb.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Gnphfppi.exeC:\Windows\system32\Gnphfppi.exe34⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe35⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Hngngo32.exeC:\Windows\system32\Hngngo32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe37⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe38⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ibbffq32.exeC:\Windows\system32\Ibbffq32.exe39⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe40⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Jjbdfbnl.exeC:\Windows\system32\Jjbdfbnl.exe41⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe42⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Jmbnhm32.exeC:\Windows\system32\Jmbnhm32.exe43⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe44⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe45⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe46⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Jlmddi32.exeC:\Windows\system32\Jlmddi32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe48⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe49⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe50⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe52⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe53⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe55⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe57⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe58⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe59⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe60⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe61⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe62⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe64⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe65⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe66⤵PID:1780
-
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe67⤵PID:2204
-
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe68⤵PID:2960
-
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe69⤵PID:876
-
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe70⤵PID:2744
-
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe71⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe72⤵PID:2860
-
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe73⤵PID:2684
-
C:\Windows\SysWOW64\Mnpbgbdd.exeC:\Windows\system32\Mnpbgbdd.exe74⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe75⤵PID:1608
-
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe76⤵PID:928
-
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe77⤵PID:2736
-
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe78⤵PID:1712
-
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe79⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe80⤵PID:2076
-
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe81⤵
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe82⤵PID:360
-
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe83⤵PID:1456
-
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe84⤵PID:1688
-
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe85⤵PID:2600
-
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe86⤵PID:2180
-
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe87⤵PID:3032
-
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe88⤵PID:2844
-
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe89⤵PID:2852
-
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe90⤵PID:2804
-
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe91⤵PID:3060
-
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe92⤵PID:2064
-
C:\Windows\SysWOW64\Omlahqeo.exeC:\Windows\system32\Omlahqeo.exe93⤵PID:968
-
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe94⤵PID:2008
-
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe95⤵PID:2356
-
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe96⤵PID:2508
-
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe97⤵PID:1528
-
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe98⤵PID:1616
-
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe99⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe100⤵PID:1584
-
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe101⤵PID:1960
-
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe102⤵PID:2936
-
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe104⤵PID:2280
-
C:\Windows\SysWOW64\Qpmgho32.exeC:\Windows\system32\Qpmgho32.exe105⤵PID:2832
-
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe106⤵PID:2940
-
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe107⤵PID:1800
-
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe108⤵PID:2432
-
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe109⤵PID:2052
-
C:\Windows\SysWOW64\Alhaho32.exeC:\Windows\system32\Alhaho32.exe110⤵PID:2116
-
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe111⤵PID:828
-
C:\Windows\SysWOW64\Afcbgd32.exeC:\Windows\system32\Afcbgd32.exe112⤵PID:2392
-
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe113⤵PID:1564
-
C:\Windows\SysWOW64\Bncpffdn.exeC:\Windows\system32\Bncpffdn.exe114⤵PID:2788
-
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe115⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe116⤵PID:1996
-
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe117⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe118⤵PID:2732
-
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe119⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Bcgoolln.exeC:\Windows\system32\Bcgoolln.exe120⤵PID:2992
-
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe121⤵PID:2612
-
C:\Windows\SysWOW64\Ckbccnji.exeC:\Windows\system32\Ckbccnji.exe122⤵PID:1208
-
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe123⤵PID:1692
-
C:\Windows\SysWOW64\Cncmei32.exeC:\Windows\system32\Cncmei32.exe124⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe125⤵PID:2268
-
C:\Windows\SysWOW64\Cbqekhmp.exeC:\Windows\system32\Cbqekhmp.exe126⤵PID:2972
-
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe127⤵PID:2464
-
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe128⤵PID:2444
-
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe129⤵PID:2512
-
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe130⤵PID:656
-
C:\Windows\SysWOW64\Dgbgon32.exeC:\Windows\system32\Dgbgon32.exe131⤵PID:2188
-
C:\Windows\SysWOW64\Dnlolhoo.exeC:\Windows\system32\Dnlolhoo.exe132⤵PID:2784
-
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe133⤵PID:2752
-
C:\Windows\SysWOW64\Dmalmdcg.exeC:\Windows\system32\Dmalmdcg.exe134⤵PID:856
-
C:\Windows\SysWOW64\Dbneekan.exeC:\Windows\system32\Dbneekan.exe135⤵PID:1752
-
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe136⤵PID:864
-
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe137⤵PID:2096
-
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe138⤵PID:1812
-
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe139⤵PID:2928
-
C:\Windows\SysWOW64\Dpdbdo32.exeC:\Windows\system32\Dpdbdo32.exe140⤵PID:2772
-
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe141⤵PID:2912
-
C:\Windows\SysWOW64\Eojoelcm.exeC:\Windows\system32\Eojoelcm.exe142⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe143⤵PID:2236
-
C:\Windows\SysWOW64\Eefdgeig.exeC:\Windows\system32\Eefdgeig.exe144⤵PID:2712
-
C:\Windows\SysWOW64\Ekblplgo.exeC:\Windows\system32\Ekblplgo.exe145⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Eehqme32.exeC:\Windows\system32\Eehqme32.exe146⤵PID:1652
-
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Ehiiop32.exeC:\Windows\system32\Ehiiop32.exe148⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Eijffhjd.exeC:\Windows\system32\Eijffhjd.exe149⤵PID:2948
-
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe150⤵PID:2680
-
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe152⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe153⤵PID:1448
-
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe154⤵PID:2440
-
C:\Windows\SysWOW64\Fcjqpm32.exeC:\Windows\system32\Fcjqpm32.exe155⤵PID:2340
-
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe156⤵PID:2812
-
C:\Windows\SysWOW64\Fdmjmenh.exeC:\Windows\system32\Fdmjmenh.exe157⤵PID:664
-
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe158⤵PID:2256
-
C:\Windows\SysWOW64\Ghkbccdn.exeC:\Windows\system32\Ghkbccdn.exe159⤵PID:1440
-
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe160⤵PID:1676
-
C:\Windows\SysWOW64\Ggppdpif.exeC:\Windows\system32\Ggppdpif.exe161⤵PID:2484
-
C:\Windows\SysWOW64\Gqidme32.exeC:\Windows\system32\Gqidme32.exe162⤵PID:2616
-
C:\Windows\SysWOW64\Gcgpiq32.exeC:\Windows\system32\Gcgpiq32.exe163⤵PID:2264
-
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe164⤵PID:956
-
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe165⤵PID:2492
-
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe166⤵PID:1728
-
C:\Windows\SysWOW64\Hqpjndio.exeC:\Windows\system32\Hqpjndio.exe167⤵PID:1072
-
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe168⤵PID:1932
-
C:\Windows\SysWOW64\Hfookk32.exeC:\Windows\system32\Hfookk32.exe169⤵PID:1176
-
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe170⤵PID:1736
-
C:\Windows\SysWOW64\Hedllgjk.exeC:\Windows\system32\Hedllgjk.exe171⤵PID:1740
-
C:\Windows\SysWOW64\Hkndiabh.exeC:\Windows\system32\Hkndiabh.exe172⤵PID:2660
-
C:\Windows\SysWOW64\Hqkmahpp.exeC:\Windows\system32\Hqkmahpp.exe173⤵PID:1588
-
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe174⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe175⤵PID:2136
-
C:\Windows\SysWOW64\Ikbndqnc.exeC:\Windows\system32\Ikbndqnc.exe176⤵PID:2124
-
C:\Windows\SysWOW64\Igioiacg.exeC:\Windows\system32\Igioiacg.exe177⤵PID:2500
-
C:\Windows\SysWOW64\Imfgahao.exeC:\Windows\system32\Imfgahao.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Ifoljn32.exeC:\Windows\system32\Ifoljn32.exe179⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe180⤵PID:2488
-
C:\Windows\SysWOW64\Ifahpnfl.exeC:\Windows\system32\Ifahpnfl.exe181⤵PID:2748
-
C:\Windows\SysWOW64\Ipimic32.exeC:\Windows\system32\Ipimic32.exe182⤵PID:1332
-
C:\Windows\SysWOW64\Ifceemdj.exeC:\Windows\system32\Ifceemdj.exe183⤵PID:3108
-
C:\Windows\SysWOW64\Jmmmbg32.exeC:\Windows\system32\Jmmmbg32.exe184⤵PID:3148
-
C:\Windows\SysWOW64\Jehbfjia.exeC:\Windows\system32\Jehbfjia.exe185⤵PID:3188
-
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe186⤵PID:3232
-
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe187⤵PID:3272
-
C:\Windows\SysWOW64\Jhikhefb.exeC:\Windows\system32\Jhikhefb.exe188⤵PID:3312
-
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe189⤵PID:3356
-
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe190⤵PID:3396
-
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe191⤵PID:3436
-
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe192⤵PID:3476
-
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe193⤵PID:3516
-
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe194⤵PID:3556
-
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe195⤵PID:3596
-
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe196⤵PID:3636
-
C:\Windows\SysWOW64\Lahaqm32.exeC:\Windows\system32\Lahaqm32.exe197⤵PID:3680
-
C:\Windows\SysWOW64\Lgejidgn.exeC:\Windows\system32\Lgejidgn.exe198⤵PID:3720
-
C:\Windows\SysWOW64\Laknfmgd.exeC:\Windows\system32\Laknfmgd.exe199⤵PID:3760
-
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe200⤵PID:3800
-
C:\Windows\SysWOW64\Lppkgi32.exeC:\Windows\system32\Lppkgi32.exe201⤵PID:3840
-
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe202⤵PID:3880
-
C:\Windows\SysWOW64\Mglpjc32.exeC:\Windows\system32\Mglpjc32.exe203⤵PID:3920
-
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe204⤵PID:3960
-
C:\Windows\SysWOW64\Mfamko32.exeC:\Windows\system32\Mfamko32.exe205⤵PID:4000
-
C:\Windows\SysWOW64\Mojaceln.exeC:\Windows\system32\Mojaceln.exe206⤵PID:4040
-
C:\Windows\SysWOW64\Moloidjl.exeC:\Windows\system32\Moloidjl.exe207⤵PID:4080
-
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe208⤵PID:3088
-
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe209⤵PID:3136
-
C:\Windows\SysWOW64\Mkelcenm.exeC:\Windows\system32\Mkelcenm.exe210⤵PID:3184
-
C:\Windows\SysWOW64\Ndnplk32.exeC:\Windows\system32\Ndnplk32.exe211⤵PID:3240
-
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe212⤵PID:3292
-
C:\Windows\SysWOW64\Nbaafocg.exeC:\Windows\system32\Nbaafocg.exe213⤵
- Drops file in System32 directory
PID:3324 -
C:\Windows\SysWOW64\Ngoinfao.exeC:\Windows\system32\Ngoinfao.exe214⤵PID:3392
-
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe215⤵
- System Location Discovery: System Language Discovery
PID:3408 -
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe216⤵PID:3496
-
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe217⤵PID:3544
-
C:\Windows\SysWOW64\Nqkgbkdj.exeC:\Windows\system32\Nqkgbkdj.exe218⤵PID:3584
-
C:\Windows\SysWOW64\Nfhpjaba.exeC:\Windows\system32\Nfhpjaba.exe219⤵
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe220⤵PID:3692
-
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe221⤵PID:3744
-
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe222⤵PID:3792
-
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe223⤵PID:3848
-
C:\Windows\SysWOW64\Oinbglkm.exeC:\Windows\system32\Oinbglkm.exe224⤵PID:3896
-
C:\Windows\SysWOW64\Oedclm32.exeC:\Windows\system32\Oedclm32.exe225⤵PID:3944
-
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe226⤵
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe227⤵
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Pmbdfolj.exeC:\Windows\system32\Pmbdfolj.exe228⤵PID:2208
-
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe229⤵PID:3096
-
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe230⤵PID:3120
-
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe231⤵PID:3252
-
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe232⤵PID:3208
-
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe233⤵PID:3380
-
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe234⤵PID:3428
-
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe235⤵PID:3512
-
C:\Windows\SysWOW64\Qamleagn.exeC:\Windows\system32\Qamleagn.exe236⤵PID:3572
-
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe237⤵
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe238⤵PID:3728
-
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe239⤵PID:3732
-
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe240⤵PID:3768
-
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe241⤵PID:3868
-
C:\Windows\SysWOW64\Ankckagj.exeC:\Windows\system32\Ankckagj.exe242⤵PID:3940