Analysis
-
max time kernel
105s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 11:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe86f72c9afd2ab0eedc31b576f40df6c126d576b29d47c1e27a864a77baab5eN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
fe86f72c9afd2ab0eedc31b576f40df6c126d576b29d47c1e27a864a77baab5eN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
fe86f72c9afd2ab0eedc31b576f40df6c126d576b29d47c1e27a864a77baab5eN.exe
-
Size
89KB
-
MD5
2ac280c6f6b274596a52e5352e9e6510
-
SHA1
8e8c52a82568d8c71862a075dc59bbf32074f29e
-
SHA256
fe86f72c9afd2ab0eedc31b576f40df6c126d576b29d47c1e27a864a77baab5e
-
SHA512
90afd2b7f4492d860040ab23b8fe4f4371d70b39bed00f5bb86ec43d9874fc3c80e1f953854a476e730b5b7705eba715c523bc7b139234719ab5dc04fe3d77e9
-
SSDEEP
1536:Bt+Hjku4mRL7wr76mqEMWv8AnD+0uD85RQ29R+KRFR3RzR1URJrCiuiNj5QkMMWs:Bt+Au4mRL7urMWvXNuD85eMjb5ZXUf2k
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poimpapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfoiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manmoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjola32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafkgphl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlmchoan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iplkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbdjeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbibfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elnoopdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipgbdbqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggmmlamj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbeml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnoddcef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmgjia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doojec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjeiodek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piocecgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcikejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnfaohbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnfbcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbkfbcpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbfklei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgdejd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfcmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innfnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elpkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oophlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hioflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbndfl32.exe -
Executes dropped EXE 64 IoCs
pid Process 4032 Bmofagfp.exe 3144 Bcinna32.exe 4052 Bjbfklei.exe 3092 Bkdcbd32.exe 3300 Bbnkonbd.exe 3408 Cjecpkcg.exe 3616 Ckfphc32.exe 4320 Ccmgiaig.exe 1944 Cjgpfk32.exe 4152 Codhnb32.exe 3376 Cjjlkk32.exe 1052 Ckkiccep.exe 1256 Cjliajmo.exe 1176 Cioilg32.exe 4716 Ckmehb32.exe 4548 Cbgnemjj.exe 2320 Cjnffjkl.exe 2352 Ccgjopal.exe 1784 Diccgfpd.exe 3004 Dcigeooj.exe 4512 Djcoai32.exe 3544 Dkdliame.exe 2132 Dbndfl32.exe 428 Djelgied.exe 4704 Dpbdopck.exe 2200 Dbqqkkbo.exe 3524 Djhimica.exe 3640 Dikihe32.exe 3496 Dmfeidbe.exe 3980 Dlieda32.exe 2232 Dcpmen32.exe 916 Dbcmakpl.exe 4456 Dfoiaj32.exe 3260 Djjebh32.exe 4476 Dimenegi.exe 1532 Dmhand32.exe 4136 Dlkbjqgm.exe 1948 Dpgnjo32.exe 1772 Ecbjkngo.exe 1324 Ebejfk32.exe 2824 Efafgifc.exe 2028 Ejlbhh32.exe 1896 Eiobceef.exe 4588 Emkndc32.exe 3516 Elnoopdj.exe 2008 Ecefqnel.exe 1960 Ebhglj32.exe 3560 Efccmidp.exe 4732 Ejoomhmi.exe 3552 Eiaoid32.exe 1120 Emmkiclm.exe 3656 Elpkep32.exe 2844 Eplgeokq.exe 4908 Ecgcfm32.exe 3984 Ebjcajjd.exe 4020 Efepbi32.exe 1964 Eidlnd32.exe 2704 Emphocjj.exe 3920 Elbhjp32.exe 2948 Epndknin.exe 1972 Eciplm32.exe 316 Eblpgjha.exe 1492 Efhlhh32.exe 1428 Eifhdd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ebgpad32.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Ckkiccep.exe Cjjlkk32.exe File opened for modification C:\Windows\SysWOW64\Anaomkdb.exe Aajohjon.exe File created C:\Windows\SysWOW64\Bnoddcef.exe Bhblllfo.exe File created C:\Windows\SysWOW64\Emjgim32.exe Efpomccg.exe File created C:\Windows\SysWOW64\Jcfggkac.exe Jphkkpbp.exe File created C:\Windows\SysWOW64\Fpkefnho.dll Nnicid32.exe File created C:\Windows\SysWOW64\Iahici32.dll Bhkmec32.exe File created C:\Windows\SysWOW64\Hoobdp32.exe Hlpfhe32.exe File opened for modification C:\Windows\SysWOW64\Lckiihok.exe Ljceqb32.exe File opened for modification C:\Windows\SysWOW64\Dimenegi.exe Djjebh32.exe File created C:\Windows\SysWOW64\Gnbcohkd.dll Elbhjp32.exe File opened for modification C:\Windows\SysWOW64\Mgaokl32.exe Mcecjmkl.exe File created C:\Windows\SysWOW64\Chkolm32.dll Maiccajf.exe File created C:\Windows\SysWOW64\Mcoljagj.exe Mpapnfhg.exe File created C:\Windows\SysWOW64\Eqdpgk32.exe Doccpcja.exe File opened for modification C:\Windows\SysWOW64\Kclgmq32.exe Knooej32.exe File created C:\Windows\SysWOW64\Boeebnhp.exe Bkjiao32.exe File opened for modification C:\Windows\SysWOW64\Lqkqhm32.exe Lcgpni32.exe File created C:\Windows\SysWOW64\Adfnba32.dll Npgmpf32.exe File opened for modification C:\Windows\SysWOW64\Lakfeodm.exe Lomjicei.exe File opened for modification C:\Windows\SysWOW64\Hgdejd32.exe Hloqml32.exe File created C:\Windows\SysWOW64\Ngjbaj32.exe Nelfeo32.exe File created C:\Windows\SysWOW64\Mkfoeejd.dll Ocohmc32.exe File opened for modification C:\Windows\SysWOW64\Giljfddl.exe Gaebef32.exe File created C:\Windows\SysWOW64\Gmbmkpie.exe Gbmingjo.exe File created C:\Windows\SysWOW64\Bjeehbgh.dll Alelqb32.exe File created C:\Windows\SysWOW64\Enkmfolf.exe Eklajcmc.exe File created C:\Windows\SysWOW64\Klfaapbl.exe Kjgeedch.exe File created C:\Windows\SysWOW64\Kqkplq32.dll Pbcncibp.exe File created C:\Windows\SysWOW64\Eidlnd32.exe Efepbi32.exe File created C:\Windows\SysWOW64\Omgcpokp.exe Ojigdcll.exe File created C:\Windows\SysWOW64\Kcmgob32.dll Ekmhejao.exe File created C:\Windows\SysWOW64\Igcnla32.dll Hiipmhmk.exe File opened for modification C:\Windows\SysWOW64\Johnamkm.exe Jljbeali.exe File created C:\Windows\SysWOW64\Mcpcdg32.exe Mmfkhmdi.exe File opened for modification C:\Windows\SysWOW64\Oplfkeob.exe Omnjojpo.exe File created C:\Windows\SysWOW64\Nmdkcj32.dll Lfiokmkc.exe File created C:\Windows\SysWOW64\Injmcmej.exe Iinqbn32.exe File created C:\Windows\SysWOW64\Fqjmdflo.dll Lgqfdnah.exe File opened for modification C:\Windows\SysWOW64\Mjmoag32.exe Mkjnfkma.exe File created C:\Windows\SysWOW64\Hopnfa32.dll Palbgl32.exe File created C:\Windows\SysWOW64\Bpenhh32.dll Nodiqp32.exe File created C:\Windows\SysWOW64\Bbaclegm.exe Bdocph32.exe File opened for modification C:\Windows\SysWOW64\Elbhjp32.exe Emphocjj.exe File created C:\Windows\SysWOW64\Lodabb32.dll Omalpc32.exe File opened for modification C:\Windows\SysWOW64\Gaebef32.exe Gngeik32.exe File created C:\Windows\SysWOW64\Bdocph32.exe Bpcgpihi.exe File opened for modification C:\Windows\SysWOW64\Lomjicei.exe Lhcali32.exe File opened for modification C:\Windows\SysWOW64\Cjliajmo.exe Ckkiccep.exe File opened for modification C:\Windows\SysWOW64\Gndick32.exe Gpaihooo.exe File created C:\Windows\SysWOW64\Jggocdgo.dll Hicpgc32.exe File opened for modification C:\Windows\SysWOW64\Hemmac32.exe Hhimhobl.exe File created C:\Windows\SysWOW64\Hpcodihc.exe Hiiggoaf.exe File created C:\Windows\SysWOW64\Dkfadkgf.exe Digehphc.exe File created C:\Windows\SysWOW64\Cmgilf32.dll Mbibfm32.exe File created C:\Windows\SysWOW64\Fohhdm32.dll Cmgqpkip.exe File opened for modification C:\Windows\SysWOW64\Geoapenf.exe Gacepg32.exe File created C:\Windows\SysWOW64\Ckdkhq32.exe Ccmcgcmp.exe File created C:\Windows\SysWOW64\Elfahb32.dll Egkddo32.exe File created C:\Windows\SysWOW64\Dimenegi.exe Djjebh32.exe File created C:\Windows\SysWOW64\Dnjfibml.dll Baadiiif.exe File opened for modification C:\Windows\SysWOW64\Cnfaohbj.exe Ckhecmcf.exe File created C:\Windows\SysWOW64\Fimhjl32.exe Ffnknafg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5036 16832 WerFault.exe 948 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coqncejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilphdlqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojiiafp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpmjejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplhhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcinna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djelgied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagiji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplfkeob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglkoeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohfbpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiacacpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofmobmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efpomccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefnkkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimhjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkofga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamamcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omalpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmgqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphkkpbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibqnkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhbmgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkiccep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojmcdgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likhem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjoppf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjkcadp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiobceef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpphljo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kibeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eahobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igbalblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdciiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heegad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipflihfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpdhboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoomhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmingjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfggkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnoqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmchoan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkknmgd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll" Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll" Pcegclgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjecpkcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll" Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpiecd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjaabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlmchoan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgngnj32.dll" Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemqgjog.dll" Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcoljagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eajlhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnhbmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnfdoa.dll" Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pplhhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll" Eqmlccdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhnikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doaneiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbhgf32.dll" Ffobhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qoelkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjhfcm32.dll" Qiiflaoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kadcjkfm.dll" Codhnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djhimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecgcfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpjfgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flfkkhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjpjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll" Gpolbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afappe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll" Fgiaemic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njkkbehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amlkko32.dll" Kcejco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eahobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackhdo32.dll" Gpecbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpaleglc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mofmobmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bipecnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhaiafem.dll" Ekimjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clddmhpl.dll" Lmmolepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eehicoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dinael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikikigb.dll" Cbdjeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll" Ojcpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leldmdbk.dll" Biklho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eddnic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpgnjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll" Kibeoo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1116 wrote to memory of 4032 1116 fe86f72c9afd2ab0eedc31b576f40df6c126d576b29d47c1e27a864a77baab5eN.exe 84 PID 1116 wrote to memory of 4032 1116 fe86f72c9afd2ab0eedc31b576f40df6c126d576b29d47c1e27a864a77baab5eN.exe 84 PID 1116 wrote to memory of 4032 1116 fe86f72c9afd2ab0eedc31b576f40df6c126d576b29d47c1e27a864a77baab5eN.exe 84 PID 4032 wrote to memory of 3144 4032 Bmofagfp.exe 85 PID 4032 wrote to memory of 3144 4032 Bmofagfp.exe 85 PID 4032 wrote to memory of 3144 4032 Bmofagfp.exe 85 PID 3144 wrote to memory of 4052 3144 Bcinna32.exe 86 PID 3144 wrote to memory of 4052 3144 Bcinna32.exe 86 PID 3144 wrote to memory of 4052 3144 Bcinna32.exe 86 PID 4052 wrote to memory of 3092 4052 Bjbfklei.exe 87 PID 4052 wrote to memory of 3092 4052 Bjbfklei.exe 87 PID 4052 wrote to memory of 3092 4052 Bjbfklei.exe 87 PID 3092 wrote to memory of 3300 3092 Bkdcbd32.exe 88 PID 3092 wrote to memory of 3300 3092 Bkdcbd32.exe 88 PID 3092 wrote to memory of 3300 3092 Bkdcbd32.exe 88 PID 3300 wrote to memory of 3408 3300 Bbnkonbd.exe 89 PID 3300 wrote to memory of 3408 3300 Bbnkonbd.exe 89 PID 3300 wrote to memory of 3408 3300 Bbnkonbd.exe 89 PID 3408 wrote to memory of 3616 3408 Cjecpkcg.exe 90 PID 3408 wrote to memory of 3616 3408 Cjecpkcg.exe 90 PID 3408 wrote to memory of 3616 3408 Cjecpkcg.exe 90 PID 3616 wrote to memory of 4320 3616 Ckfphc32.exe 91 PID 3616 wrote to memory of 4320 3616 Ckfphc32.exe 91 PID 3616 wrote to memory of 4320 3616 Ckfphc32.exe 91 PID 4320 wrote to memory of 1944 4320 Ccmgiaig.exe 92 PID 4320 wrote to memory of 1944 4320 Ccmgiaig.exe 92 PID 4320 wrote to memory of 1944 4320 Ccmgiaig.exe 92 PID 1944 wrote to memory of 4152 1944 Cjgpfk32.exe 94 PID 1944 wrote to memory of 4152 1944 Cjgpfk32.exe 94 PID 1944 wrote to memory of 4152 1944 Cjgpfk32.exe 94 PID 4152 wrote to memory of 3376 4152 Codhnb32.exe 95 PID 4152 wrote to memory of 3376 4152 Codhnb32.exe 95 PID 4152 wrote to memory of 3376 4152 Codhnb32.exe 95 PID 3376 wrote to memory of 1052 3376 Cjjlkk32.exe 97 PID 3376 wrote to memory of 1052 3376 Cjjlkk32.exe 97 PID 3376 wrote to memory of 1052 3376 Cjjlkk32.exe 97 PID 1052 wrote to memory of 1256 1052 Ckkiccep.exe 98 PID 1052 wrote to memory of 1256 1052 Ckkiccep.exe 98 PID 1052 wrote to memory of 1256 1052 Ckkiccep.exe 98 PID 1256 wrote to memory of 1176 1256 Cjliajmo.exe 99 PID 1256 wrote to memory of 1176 1256 Cjliajmo.exe 99 PID 1256 wrote to memory of 1176 1256 Cjliajmo.exe 99 PID 1176 wrote to memory of 4716 1176 Cioilg32.exe 100 PID 1176 wrote to memory of 4716 1176 Cioilg32.exe 100 PID 1176 wrote to memory of 4716 1176 Cioilg32.exe 100 PID 4716 wrote to memory of 4548 4716 Ckmehb32.exe 102 PID 4716 wrote to memory of 4548 4716 Ckmehb32.exe 102 PID 4716 wrote to memory of 4548 4716 Ckmehb32.exe 102 PID 4548 wrote to memory of 2320 4548 Cbgnemjj.exe 103 PID 4548 wrote to memory of 2320 4548 Cbgnemjj.exe 103 PID 4548 wrote to memory of 2320 4548 Cbgnemjj.exe 103 PID 2320 wrote to memory of 2352 2320 Cjnffjkl.exe 104 PID 2320 wrote to memory of 2352 2320 Cjnffjkl.exe 104 PID 2320 wrote to memory of 2352 2320 Cjnffjkl.exe 104 PID 2352 wrote to memory of 1784 2352 Ccgjopal.exe 105 PID 2352 wrote to memory of 1784 2352 Ccgjopal.exe 105 PID 2352 wrote to memory of 1784 2352 Ccgjopal.exe 105 PID 1784 wrote to memory of 3004 1784 Diccgfpd.exe 106 PID 1784 wrote to memory of 3004 1784 Diccgfpd.exe 106 PID 1784 wrote to memory of 3004 1784 Diccgfpd.exe 106 PID 3004 wrote to memory of 4512 3004 Dcigeooj.exe 107 PID 3004 wrote to memory of 4512 3004 Dcigeooj.exe 107 PID 3004 wrote to memory of 4512 3004 Dcigeooj.exe 107 PID 4512 wrote to memory of 3544 4512 Djcoai32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe86f72c9afd2ab0eedc31b576f40df6c126d576b29d47c1e27a864a77baab5eN.exe"C:\Users\Admin\AppData\Local\Temp\fe86f72c9afd2ab0eedc31b576f40df6c126d576b29d47c1e27a864a77baab5eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe23⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:428 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe26⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe27⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe29⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe30⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe31⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe32⤵PID:3968
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe33⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe34⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe37⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe38⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe39⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe41⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe42⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe43⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe44⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe46⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe48⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe49⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe50⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe53⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe55⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe57⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe59⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe62⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe63⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe64⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe65⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe66⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe67⤵PID:3648
-
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe68⤵PID:2420
-
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe69⤵PID:4940
-
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe70⤵PID:2288
-
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe71⤵PID:2152
-
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe72⤵PID:4344
-
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe73⤵PID:3356
-
C:\Windows\SysWOW64\Emdajb32.exeC:\Windows\system32\Emdajb32.exe74⤵PID:5016
-
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe75⤵PID:1004
-
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe76⤵PID:4848
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe77⤵PID:4980
-
C:\Windows\SysWOW64\Fbajbi32.exeC:\Windows\system32\Fbajbi32.exe78⤵PID:4304
-
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe79⤵PID:2304
-
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe80⤵PID:4356
-
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe81⤵PID:2388
-
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe82⤵PID:4928
-
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe83⤵PID:392
-
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe84⤵
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe85⤵PID:2612
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe86⤵PID:972
-
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe87⤵PID:4432
-
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1328 -
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe90⤵PID:3684
-
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe91⤵PID:1624
-
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe92⤵PID:3996
-
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe93⤵PID:1956
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe94⤵PID:2260
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe95⤵PID:3792
-
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe97⤵PID:1512
-
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe98⤵PID:436
-
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe99⤵PID:1252
-
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe100⤵PID:4944
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe101⤵PID:2124
-
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe102⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe103⤵PID:1548
-
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe104⤵PID:5160
-
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe105⤵PID:5204
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe106⤵PID:5248
-
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe107⤵
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe109⤵PID:5384
-
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe110⤵PID:5428
-
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe111⤵PID:5472
-
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe112⤵PID:5516
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe113⤵PID:5564
-
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe114⤵PID:5608
-
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe115⤵PID:5656
-
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe116⤵
- Drops file in System32 directory
PID:5700 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe117⤵PID:5744
-
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe119⤵PID:5832
-
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe120⤵
- System Location Discovery: System Language Discovery
PID:5876 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-