Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2024, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
96KB
-
MD5
f4c0aae9837f944b6b86baf2dfd70710
-
SHA1
8073119bac68ce93f3b767c00f4d19060ad13678
-
SHA256
37f50f52cdc8a9778cde4977708c6369a517c697e79c5b4b5e7a2b1fae219551
-
SHA512
c9b485e8e725d05d618ae8758a4d5b5a1f41c3f9725c7282cb7d03c9325b618a4d33ebb3f06385bfd46e97c7c148b6a1e02f94b1455f3b42f66d0f065e09fe5b
-
SSDEEP
1536:ZmLyPhJqAxQSTCVAhX8Gm9T1WD57LtduV9jojTIvjrH:ZmOPh4OpuVAhjm9T8lLtd69jc0vf
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flfbcndo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeffnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imcqacfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apngjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emioab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhmqlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciogobcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gedfblql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgeadjai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaojf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdicggla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgngih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdicjfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmneemaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meljappg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imjgbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glqkefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdbbfadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eieplhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbnggpfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biedhclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmhofbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icminm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmffnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agqhik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihpdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icqmncof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbapom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnppkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijedehgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bldgoeog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmckmcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dedkogqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgncff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkcibdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcbaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcfleff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hleneo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkaqgjme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcbmlbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bndblcdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejglcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhcdlgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Decdeama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnknpqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmccnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgdgijhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mginniij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciaddaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eojeodga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkboeobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioafchai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glchjedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kggjghkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghdhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Midoph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdicjfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohnnqgo.exe -
Executes dropped EXE 64 IoCs
pid Process 3540 Aecialmb.exe 2980 Apimodmh.exe 3160 Aeffgkkp.exe 4708 Apkjddke.exe 4672 Afeban32.exe 4808 Apngjd32.exe 3096 Bfhofnpp.exe 4552 Bldgoeog.exe 400 Bfjllnnm.exe 3904 Blgddd32.exe 4988 Bflham32.exe 532 Bikeni32.exe 2892 Bfoegm32.exe 4224 Bimach32.exe 4824 Bbefln32.exe 1004 Bmkjig32.exe 2644 Cfcoblfb.exe 4444 Cmmgof32.exe 3248 Cdgolq32.exe 4316 Cpnpqakp.exe 2768 Cmbpjfij.exe 2356 Cfjeckpj.exe 2944 Cpcila32.exe 3452 Cfmahknh.exe 4732 Clijablo.exe 1664 Dfonnk32.exe 4304 Dllffa32.exe 2112 Dbfoclai.exe 4740 Dedkogqm.exe 3712 Dmkcpdao.exe 4792 Dgdgijhp.exe 3836 Dlqpaafg.exe 4232 Dmplkd32.exe 1956 Dghadidj.exe 3900 Eiijfd32.exe 1304 Eepkkefp.exe 4832 Egpgehnb.exe 1740 Emioab32.exe 1656 Egbdjhlp.exe 2908 Edfddl32.exe 3948 Fdhail32.exe 3112 Fgfmeg32.exe 628 Fdjnolfd.exe 4136 Fjgfgbek.exe 1736 Flfbcndo.exe 4764 Fjjcmbci.exe 4460 Fdogjk32.exe 4284 Fgncff32.exe 2380 Fpfholhc.exe 2876 Fgpplf32.exe 1636 Gjnlha32.exe 5028 Gphddlfp.exe 708 Gfemmb32.exe 1644 Gloejmld.exe 2440 Gfgjbb32.exe 2448 Gckjlf32.exe 3476 Gjebiq32.exe 2044 Gmdoel32.exe 4760 Gmfkjl32.exe 5092 Hjjldpdf.exe 4360 Hdppaidl.exe 2548 Hjlhipbc.exe 896 Hqfqfj32.exe 1732 Hjoeoo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lcqgahoe.exe Lmfodn32.exe File opened for modification C:\Windows\SysWOW64\Lipmoo32.exe Lfaqcclf.exe File created C:\Windows\SysWOW64\Qecnjaee.dll Cmbpjfij.exe File created C:\Windows\SysWOW64\Fjjcmbci.exe Flfbcndo.exe File created C:\Windows\SysWOW64\Gckcap32.exe Gplged32.exe File created C:\Windows\SysWOW64\Kkjfda32.dll Ifleji32.exe File created C:\Windows\SysWOW64\Ijblcb32.dll Lhammfci.exe File created C:\Windows\SysWOW64\Ohkijc32.exe Naqqmieo.exe File opened for modification C:\Windows\SysWOW64\Apimodmh.exe Aecialmb.exe File created C:\Windows\SysWOW64\Bmkjig32.exe Bbefln32.exe File created C:\Windows\SysWOW64\Pgbkgmao.exe Pjoknhbe.exe File opened for modification C:\Windows\SysWOW64\Ikmpcicg.exe Ijkdkq32.exe File opened for modification C:\Windows\SysWOW64\Mjdbda32.exe Mhefhf32.exe File opened for modification C:\Windows\SysWOW64\Agnkck32.exe Aqdbfa32.exe File opened for modification C:\Windows\SysWOW64\Gclimi32.exe Gkeakl32.exe File created C:\Windows\SysWOW64\Hcflch32.exe Hhpheo32.exe File created C:\Windows\SysWOW64\Hlhkja32.dll Dllffa32.exe File created C:\Windows\SysWOW64\Ljkghi32.exe Lhmjlm32.exe File opened for modification C:\Windows\SysWOW64\Khhaanop.exe Kdmeqo32.exe File created C:\Windows\SysWOW64\Omabnq32.dll Mmhofbma.exe File opened for modification C:\Windows\SysWOW64\Cehdib32.exe Cbihmg32.exe File opened for modification C:\Windows\SysWOW64\Nalgbi32.exe Nkboeobh.exe File created C:\Windows\SysWOW64\Oidodncg.dll Pjahchpb.exe File created C:\Windows\SysWOW64\Jcbhjg32.dll Pahpee32.exe File created C:\Windows\SysWOW64\Dlqpaafg.exe Dgdgijhp.exe File created C:\Windows\SysWOW64\Decdeama.exe Dlkplk32.exe File created C:\Windows\SysWOW64\Aqbfaa32.exe Ancjef32.exe File created C:\Windows\SysWOW64\Agcdnjcl.exe Addhbo32.exe File created C:\Windows\SysWOW64\Fpfholhc.exe Fgncff32.exe File created C:\Windows\SysWOW64\Iobmmoed.exe Imcqacfq.exe File created C:\Windows\SysWOW64\Fbelak32.dll Cfmahknh.exe File created C:\Windows\SysWOW64\Cgfmol32.dll Jfokff32.exe File opened for modification C:\Windows\SysWOW64\Fiaogfai.exe Fajgfiag.exe File opened for modification C:\Windows\SysWOW64\Kebodc32.exe Knifging.exe File created C:\Windows\SysWOW64\Naaghoik.exe Nnfkgp32.exe File created C:\Windows\SysWOW64\Kqfaoo32.dll Cdgolq32.exe File opened for modification C:\Windows\SysWOW64\Ohnljine.exe Onhhmpoo.exe File created C:\Windows\SysWOW64\Andqol32.exe Akfdcq32.exe File created C:\Windows\SysWOW64\Bdnkhn32.exe Bndblcdq.exe File created C:\Windows\SysWOW64\Mmgmmdep.dll Joaojf32.exe File opened for modification C:\Windows\SysWOW64\Nkboeobh.exe Ndhgie32.exe File opened for modification C:\Windows\SysWOW64\Cfcoblfb.exe Bmkjig32.exe File opened for modification C:\Windows\SysWOW64\Flboch32.exe Fhgccijm.exe File created C:\Windows\SysWOW64\Dekibcga.dll Ljjpnb32.exe File opened for modification C:\Windows\SysWOW64\Elnehifk.exe Eedmlo32.exe File created C:\Windows\SysWOW64\Oepnld32.dll Gllajf32.exe File opened for modification C:\Windows\SysWOW64\Gloejmld.exe Gfemmb32.exe File created C:\Windows\SysWOW64\Ogiobn32.dll Jegohe32.exe File opened for modification C:\Windows\SysWOW64\Afdkfh32.exe Anncek32.exe File created C:\Windows\SysWOW64\Iedanb32.dll Ehifak32.exe File opened for modification C:\Windows\SysWOW64\Elgohj32.exe Ehkcgkdj.exe File created C:\Windows\SysWOW64\Achmpagb.dll Gplged32.exe File opened for modification C:\Windows\SysWOW64\Lmfodn32.exe Lpbokjho.exe File created C:\Windows\SysWOW64\Ijjnpg32.exe Ifnbph32.exe File opened for modification C:\Windows\SysWOW64\Ljjpnb32.exe Lcqgahoe.exe File created C:\Windows\SysWOW64\Apalniie.dll Lmneemaq.exe File opened for modification C:\Windows\SysWOW64\Pdbbfadn.exe Pnhjig32.exe File opened for modification C:\Windows\SysWOW64\Akgjnj32.exe Aqbfaa32.exe File opened for modification C:\Windows\SysWOW64\Apkjddke.exe Aeffgkkp.exe File created C:\Windows\SysWOW64\Jknbhdmb.dll Ngipjp32.exe File created C:\Windows\SysWOW64\Gmdqfa32.dll Dnghhqdk.exe File created C:\Windows\SysWOW64\Mhmcck32.exe Mmhofbma.exe File created C:\Windows\SysWOW64\Lelmqm32.dll Icminm32.exe File created C:\Windows\SysWOW64\Nandhi32.exe Ngipjp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12552 12440 WerFault.exe 638 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmngm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paocim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agnkck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hembndee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmgof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlqpaafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decdeama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbfaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofheeoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjeckpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpidk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pklkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gogjflhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpaikm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgccijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oookgbpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngobghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoconenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioffhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfbcndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljappg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnllhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifaepolg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhefhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfhfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipdpbgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhcdlgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqdhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakidd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkjaifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdlpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikmpcicg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkgen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldjkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehklmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaqejcep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naaghoik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmlok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpgdmjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enedio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlhaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofmaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jginej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbbfadn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmeqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flboch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkalnjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkinmlnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iooimi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdqhjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laeoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhogamih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqomj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhhlccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmplkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgncff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpklql32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npnjcb32.dll" Ohkijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bggnijof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iooimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicimc32.dll" Mmjlkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nglcjfie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glqkefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcfejfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biedhclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkbbiqp.dll" Anncek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fepmgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdnkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egpgehnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhppik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmccnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgmmdep.dll" Joaojf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oookgbpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flboch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhclcf32.dll" Mpchbhjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnabladg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhffijdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdbbfadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaocfbb.dll" Iooimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmkcpdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedoeg32.dll" Pbapom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmkipncc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgbkgmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hholim32.dll" Jmepcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflfoi32.dll" Dlhlleeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gckjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icnphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhammfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhfoocaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbdoa32.dll" Hcflch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edfddl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jepbodhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onempd32.dll" Ljkghi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mklpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhkmfgo.dll" Eiijfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aiqkmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poeahaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padkjq32.dll" Blkgen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndmpddfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enpknplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deejpjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gplged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nccmog32.dll" Mhoind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qggebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbfmcg32.dll" Fiaogfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jodlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbolld32.dll" Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfppjh.dll" Fbjjkble.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flboch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpbokjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojmda32.dll" Egpgehnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkbmih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdipag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kofheeoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehkcgkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgngqico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlbcolh.dll" Pgkegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddndonph.dll" Jlafhkfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dolinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oediim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anncek32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3420 wrote to memory of 3540 3420 Backdoor.Win32.Padodor.SK.exe 89 PID 3420 wrote to memory of 3540 3420 Backdoor.Win32.Padodor.SK.exe 89 PID 3420 wrote to memory of 3540 3420 Backdoor.Win32.Padodor.SK.exe 89 PID 3540 wrote to memory of 2980 3540 Aecialmb.exe 90 PID 3540 wrote to memory of 2980 3540 Aecialmb.exe 90 PID 3540 wrote to memory of 2980 3540 Aecialmb.exe 90 PID 2980 wrote to memory of 3160 2980 Apimodmh.exe 91 PID 2980 wrote to memory of 3160 2980 Apimodmh.exe 91 PID 2980 wrote to memory of 3160 2980 Apimodmh.exe 91 PID 3160 wrote to memory of 4708 3160 Aeffgkkp.exe 92 PID 3160 wrote to memory of 4708 3160 Aeffgkkp.exe 92 PID 3160 wrote to memory of 4708 3160 Aeffgkkp.exe 92 PID 4708 wrote to memory of 4672 4708 Apkjddke.exe 93 PID 4708 wrote to memory of 4672 4708 Apkjddke.exe 93 PID 4708 wrote to memory of 4672 4708 Apkjddke.exe 93 PID 4672 wrote to memory of 4808 4672 Afeban32.exe 94 PID 4672 wrote to memory of 4808 4672 Afeban32.exe 94 PID 4672 wrote to memory of 4808 4672 Afeban32.exe 94 PID 4808 wrote to memory of 3096 4808 Apngjd32.exe 95 PID 4808 wrote to memory of 3096 4808 Apngjd32.exe 95 PID 4808 wrote to memory of 3096 4808 Apngjd32.exe 95 PID 3096 wrote to memory of 4552 3096 Bfhofnpp.exe 96 PID 3096 wrote to memory of 4552 3096 Bfhofnpp.exe 96 PID 3096 wrote to memory of 4552 3096 Bfhofnpp.exe 96 PID 4552 wrote to memory of 400 4552 Bldgoeog.exe 97 PID 4552 wrote to memory of 400 4552 Bldgoeog.exe 97 PID 4552 wrote to memory of 400 4552 Bldgoeog.exe 97 PID 400 wrote to memory of 3904 400 Bfjllnnm.exe 98 PID 400 wrote to memory of 3904 400 Bfjllnnm.exe 98 PID 400 wrote to memory of 3904 400 Bfjllnnm.exe 98 PID 3904 wrote to memory of 4988 3904 Blgddd32.exe 99 PID 3904 wrote to memory of 4988 3904 Blgddd32.exe 99 PID 3904 wrote to memory of 4988 3904 Blgddd32.exe 99 PID 4988 wrote to memory of 532 4988 Bflham32.exe 100 PID 4988 wrote to memory of 532 4988 Bflham32.exe 100 PID 4988 wrote to memory of 532 4988 Bflham32.exe 100 PID 532 wrote to memory of 2892 532 Bikeni32.exe 101 PID 532 wrote to memory of 2892 532 Bikeni32.exe 101 PID 532 wrote to memory of 2892 532 Bikeni32.exe 101 PID 2892 wrote to memory of 4224 2892 Bfoegm32.exe 102 PID 2892 wrote to memory of 4224 2892 Bfoegm32.exe 102 PID 2892 wrote to memory of 4224 2892 Bfoegm32.exe 102 PID 4224 wrote to memory of 4824 4224 Bimach32.exe 103 PID 4224 wrote to memory of 4824 4224 Bimach32.exe 103 PID 4224 wrote to memory of 4824 4224 Bimach32.exe 103 PID 4824 wrote to memory of 1004 4824 Bbefln32.exe 104 PID 4824 wrote to memory of 1004 4824 Bbefln32.exe 104 PID 4824 wrote to memory of 1004 4824 Bbefln32.exe 104 PID 1004 wrote to memory of 2644 1004 Bmkjig32.exe 105 PID 1004 wrote to memory of 2644 1004 Bmkjig32.exe 105 PID 1004 wrote to memory of 2644 1004 Bmkjig32.exe 105 PID 2644 wrote to memory of 4444 2644 Cfcoblfb.exe 106 PID 2644 wrote to memory of 4444 2644 Cfcoblfb.exe 106 PID 2644 wrote to memory of 4444 2644 Cfcoblfb.exe 106 PID 4444 wrote to memory of 3248 4444 Cmmgof32.exe 107 PID 4444 wrote to memory of 3248 4444 Cmmgof32.exe 107 PID 4444 wrote to memory of 3248 4444 Cmmgof32.exe 107 PID 3248 wrote to memory of 4316 3248 Cdgolq32.exe 108 PID 3248 wrote to memory of 4316 3248 Cdgolq32.exe 108 PID 3248 wrote to memory of 4316 3248 Cdgolq32.exe 108 PID 4316 wrote to memory of 2768 4316 Cpnpqakp.exe 109 PID 4316 wrote to memory of 2768 4316 Cpnpqakp.exe 109 PID 4316 wrote to memory of 2768 4316 Cpnpqakp.exe 109 PID 2768 wrote to memory of 2356 2768 Cmbpjfij.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Bflham32.exeC:\Windows\system32\Bflham32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Bmkjig32.exeC:\Windows\system32\Bmkjig32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe24⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3452 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe26⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe27⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4304 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe29⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Dgdgijhp.exeC:\Windows\system32\Dgdgijhp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4792 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe35⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe37⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe40⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe42⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe44⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe45⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe47⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe48⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe50⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe51⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe52⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe53⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe55⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe56⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe58⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe59⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe60⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe61⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe62⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe63⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe64⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe65⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Hddilh32.exeC:\Windows\system32\Hddilh32.exe66⤵
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe67⤵PID:652
-
C:\Windows\SysWOW64\Hqkjaifk.exeC:\Windows\system32\Hqkjaifk.exe68⤵
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe69⤵PID:3664
-
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3328 -
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe71⤵PID:788
-
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe72⤵PID:1612
-
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe73⤵
- Modifies registry class
PID:4248 -
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe74⤵PID:244
-
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe76⤵PID:2072
-
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe77⤵PID:4324
-
C:\Windows\SysWOW64\Igneda32.exeC:\Windows\system32\Igneda32.exe78⤵PID:5172
-
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe79⤵
- System Location Discovery: System Language Discovery
PID:5216 -
C:\Windows\SysWOW64\Inhmqlmj.exeC:\Windows\system32\Inhmqlmj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe81⤵PID:5328
-
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe82⤵PID:5412
-
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe83⤵PID:5456
-
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe84⤵PID:5504
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe85⤵PID:5552
-
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe86⤵PID:5640
-
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe87⤵PID:5676
-
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe88⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe89⤵PID:5792
-
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe90⤵PID:5836
-
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe91⤵PID:5880
-
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe92⤵PID:5928
-
C:\Windows\SysWOW64\Jepbodhg.exeC:\Windows\system32\Jepbodhg.exe93⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Knifging.exeC:\Windows\system32\Knifging.exe94⤵
- Drops file in System32 directory
PID:6008 -
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe95⤵
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Windows\SysWOW64\Kdhlepkl.exeC:\Windows\system32\Kdhlepkl.exe96⤵PID:6104
-
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe97⤵PID:2904
-
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe98⤵PID:5168
-
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe99⤵
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Windows\SysWOW64\Kdmeqo32.exeC:\Windows\system32\Kdmeqo32.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe101⤵PID:5472
-
C:\Windows\SysWOW64\Kaqejcep.exeC:\Windows\system32\Kaqejcep.exe102⤵
- System Location Discovery: System Language Discovery
PID:3744 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe103⤵PID:5512
-
C:\Windows\SysWOW64\Lhmjlm32.exeC:\Windows\system32\Lhmjlm32.exe104⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe105⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5868 -
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe107⤵
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe108⤵PID:6016
-
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe109⤵PID:6076
-
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe110⤵PID:2056
-
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe111⤵PID:5260
-
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe112⤵
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe113⤵PID:5628
-
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe115⤵PID:5832
-
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5916 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe117⤵PID:6072
-
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5156 -
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe121⤵PID:5820
-
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe122⤵
- Modifies registry class
PID:5992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-