8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/09/2024, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
Size

96KB
MD5

518e6ea9ea9761987f7567a4248f8af0
SHA1

b30e4fe615a774de21a6e58e0b8bbfdab942db0e
SHA256

8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8
SHA512

8206e9044e0d55d9f85949d80542af72e2a368b6fea5819478f33a172af468f3eb8b2304fe83a9cfca50d0fd26bdda2bc5ba10440abd9e81643ddc9cc99a097e
SSDEEP

1536:Z4BAtUZXQqtM/zjj10QnTZudUPgJYnQqeS3OtksRQjYRkRLJzeLD9N0iQGRNQR8A:+V3SR0mTlYKExekSJdEN0s4WE+3SN

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abdeoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgaahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnnfkb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaobmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahcjmkbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdnkanfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binikb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggcofkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgodcich.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgaahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdnkanfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abbhje32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphehidc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnnfkb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aegkfpah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgodcich.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aphehidc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahcjmkbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfikod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blaobmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbhje32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cggcofkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfikod32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aegkfpah.exe

Executes dropped EXE 26 IoCs

pid	Process
2156	Pdnkanfg.exe
2768	Pgodcich.exe
2732	Pgaahh32.exe
2852	Pnnfkb32.exe
2672	Qfikod32.exe
1132	Qmcclolh.exe
2548	Qghgigkn.exe
1312	Abbhje32.exe
2348	Abdeoe32.exe
2968	Aphehidc.exe
1516	Ahcjmkbo.exe
2164	Aegkfpah.exe
1364	Admgglep.exe
2432	Bdodmlcm.exe
1000	Bdaabk32.exe
1676	Binikb32.exe
1644	Bfbjdf32.exe
1284	Bdfjnkne.exe
2316	Blaobmkq.exe
2356	Cggcofkf.exe
1748	Cpohhk32.exe
1840	Ciglaa32.exe
2380	Ckiiiine.exe
3028	Chmibmlo.exe
1752	Ceqjla32.exe
2752	Coindgbi.exe

Loads dropped DLL 52 IoCs

pid	Process
2236	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
2236	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
2156	Pdnkanfg.exe
2156	Pdnkanfg.exe
2768	Pgodcich.exe
2768	Pgodcich.exe
2732	Pgaahh32.exe
2732	Pgaahh32.exe
2852	Pnnfkb32.exe
2852	Pnnfkb32.exe
2672	Qfikod32.exe
2672	Qfikod32.exe
1132	Qmcclolh.exe
1132	Qmcclolh.exe
2548	Qghgigkn.exe
2548	Qghgigkn.exe
1312	Abbhje32.exe
1312	Abbhje32.exe
2348	Abdeoe32.exe
2348	Abdeoe32.exe
2968	Aphehidc.exe
2968	Aphehidc.exe
1516	Ahcjmkbo.exe
1516	Ahcjmkbo.exe
2164	Aegkfpah.exe
2164	Aegkfpah.exe
1364	Admgglep.exe
1364	Admgglep.exe
2432	Bdodmlcm.exe
2432	Bdodmlcm.exe
1000	Bdaabk32.exe
1000	Bdaabk32.exe
1676	Binikb32.exe
1676	Binikb32.exe
1644	Bfbjdf32.exe
1644	Bfbjdf32.exe
1284	Bdfjnkne.exe
1284	Bdfjnkne.exe
2316	Blaobmkq.exe
2316	Blaobmkq.exe
2356	Cggcofkf.exe
2356	Cggcofkf.exe
1748	Cpohhk32.exe
1748	Cpohhk32.exe
1840	Ciglaa32.exe
1840	Ciglaa32.exe
2380	Ckiiiine.exe
2380	Ckiiiine.exe
3028	Chmibmlo.exe
3028	Chmibmlo.exe
1752	Ceqjla32.exe
1752	Ceqjla32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kpfdhgca.dll	Bdaabk32.exe
File created	C:\Windows\SysWOW64\Djenbd32.dll	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Lnoipg32.dll	Qmcclolh.exe
File created	C:\Windows\SysWOW64\Abbhje32.exe	Qghgigkn.exe
File created	C:\Windows\SysWOW64\Ciglaa32.exe	Cpohhk32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Ceqjla32.exe
File opened for modification	C:\Windows\SysWOW64\Pgodcich.exe	Pdnkanfg.exe
File created	C:\Windows\SysWOW64\Oellihpf.dll	Qfikod32.exe
File created	C:\Windows\SysWOW64\Ahcjmkbo.exe	Aphehidc.exe
File opened for modification	C:\Windows\SysWOW64\Ahcjmkbo.exe	Aphehidc.exe
File created	C:\Windows\SysWOW64\Hfgjcq32.dll	Ahcjmkbo.exe
File created	C:\Windows\SysWOW64\Bdodmlcm.exe	Admgglep.exe
File opened for modification	C:\Windows\SysWOW64\Bdodmlcm.exe	Admgglep.exe
File created	C:\Windows\SysWOW64\Bkofkccd.dll	Binikb32.exe
File created	C:\Windows\SysWOW64\Pfekjn32.dll	Pnnfkb32.exe
File opened for modification	C:\Windows\SysWOW64\Aphehidc.exe	Abdeoe32.exe
File created	C:\Windows\SysWOW64\Chmibmlo.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Mncmib32.dll	Aphehidc.exe
File created	C:\Windows\SysWOW64\Jggdmb32.dll	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Cggcofkf.exe	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Pdnkanfg.exe	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
File created	C:\Windows\SysWOW64\Mqpfnk32.dll	Pgaahh32.exe
File opened for modification	C:\Windows\SysWOW64\Admgglep.exe	Aegkfpah.exe
File created	C:\Windows\SysWOW64\Bdaabk32.exe	Bdodmlcm.exe
File opened for modification	C:\Windows\SysWOW64\Pdnkanfg.exe	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
File created	C:\Windows\SysWOW64\Phohmbjf.dll	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
File opened for modification	C:\Windows\SysWOW64\Cpohhk32.exe	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Ipgfpp32.dll	Abdeoe32.exe
File opened for modification	C:\Windows\SysWOW64\Blaobmkq.exe	Bdfjnkne.exe
File opened for modification	C:\Windows\SysWOW64\Pnnfkb32.exe	Pgaahh32.exe
File opened for modification	C:\Windows\SysWOW64\Qmcclolh.exe	Qfikod32.exe
File created	C:\Windows\SysWOW64\Abdeoe32.exe	Abbhje32.exe
File created	C:\Windows\SysWOW64\Eiibij32.dll	Abbhje32.exe
File opened for modification	C:\Windows\SysWOW64\Bfbjdf32.exe	Binikb32.exe
File created	C:\Windows\SysWOW64\Beegbq32.dll	Pdnkanfg.exe
File created	C:\Windows\SysWOW64\Pnnfkb32.exe	Pgaahh32.exe
File opened for modification	C:\Windows\SysWOW64\Cggcofkf.exe	Blaobmkq.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Ciglaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bdaabk32.exe	Bdodmlcm.exe
File created	C:\Windows\SysWOW64\Kacclb32.dll	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Llpaflnl.dll	Admgglep.exe
File created	C:\Windows\SysWOW64\Blaobmkq.exe	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Qfikod32.exe	Pnnfkb32.exe
File created	C:\Windows\SysWOW64\Aegkfpah.exe	Ahcjmkbo.exe
File opened for modification	C:\Windows\SysWOW64\Qghgigkn.exe	Qmcclolh.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Pgaahh32.exe	Pgodcich.exe
File created	C:\Windows\SysWOW64\Ikicmc32.dll	Pgodcich.exe
File created	C:\Windows\SysWOW64\Binikb32.exe	Bdaabk32.exe
File opened for modification	C:\Windows\SysWOW64\Qfikod32.exe	Pnnfkb32.exe
File created	C:\Windows\SysWOW64\Qghgigkn.exe	Qmcclolh.exe
File opened for modification	C:\Windows\SysWOW64\Abdeoe32.exe	Abbhje32.exe
File created	C:\Windows\SysWOW64\Peapkpkj.dll	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Gaocdi32.dll	Qghgigkn.exe
File created	C:\Windows\SysWOW64\Eobohl32.dll	Aegkfpah.exe
File created	C:\Windows\SysWOW64\Bijpeihq.dll	Bdodmlcm.exe
File created	C:\Windows\SysWOW64\Cpohhk32.exe	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Cnfnahkp.dll	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Ceqjla32.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Pgodcich.exe	Pdnkanfg.exe
File created	C:\Windows\SysWOW64\Qmcclolh.exe	Qfikod32.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqjla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdnkanfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggcofkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qghgigkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbhje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdaabk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpohhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmcclolh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aegkfpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binikb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgodcich.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnnfkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abdeoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgaahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahcjmkbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfikod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfbjdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaobmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphehidc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admgglep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdodmlcm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgodcich.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnnfkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkofkccd.dll"	Binikb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfikod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beegbq32.dll"	Pdnkanfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfikod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfdhgca.dll"	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacclb32.dll"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikicmc32.dll"	Pgodcich.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpfnk32.dll"	Pgaahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgjcq32.dll"	Ahcjmkbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aegkfpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aegkfpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijpeihq.dll"	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgaahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oellihpf.dll"	Qfikod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll"	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qghgigkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llpaflnl.dll"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdmb32.dll"	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahcjmkbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdodmlcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaocdi32.dll"	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abbhje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiibij32.dll"	Abbhje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aphehidc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cggcofkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abbhje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgfpp32.dll"	Abdeoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncmib32.dll"	Aphehidc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobohl32.dll"	Aegkfpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdnkanfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdnkanfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgodcich.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Binikb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phohmbjf.dll"	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgaahh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2156	2236	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe	30
PID 2236 wrote to memory of 2156	2236	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe	30
PID 2236 wrote to memory of 2156	2236	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe	30
PID 2236 wrote to memory of 2156	2236	8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe	30
PID 2156 wrote to memory of 2768	2156	Pdnkanfg.exe	31
PID 2156 wrote to memory of 2768	2156	Pdnkanfg.exe	31
PID 2156 wrote to memory of 2768	2156	Pdnkanfg.exe	31
PID 2156 wrote to memory of 2768	2156	Pdnkanfg.exe	31
PID 2768 wrote to memory of 2732	2768	Pgodcich.exe	32
PID 2768 wrote to memory of 2732	2768	Pgodcich.exe	32
PID 2768 wrote to memory of 2732	2768	Pgodcich.exe	32
PID 2768 wrote to memory of 2732	2768	Pgodcich.exe	32
PID 2732 wrote to memory of 2852	2732	Pgaahh32.exe	33
PID 2732 wrote to memory of 2852	2732	Pgaahh32.exe	33
PID 2732 wrote to memory of 2852	2732	Pgaahh32.exe	33
PID 2732 wrote to memory of 2852	2732	Pgaahh32.exe	33
PID 2852 wrote to memory of 2672	2852	Pnnfkb32.exe	34
PID 2852 wrote to memory of 2672	2852	Pnnfkb32.exe	34
PID 2852 wrote to memory of 2672	2852	Pnnfkb32.exe	34
PID 2852 wrote to memory of 2672	2852	Pnnfkb32.exe	34
PID 2672 wrote to memory of 1132	2672	Qfikod32.exe	35
PID 2672 wrote to memory of 1132	2672	Qfikod32.exe	35
PID 2672 wrote to memory of 1132	2672	Qfikod32.exe	35
PID 2672 wrote to memory of 1132	2672	Qfikod32.exe	35
PID 1132 wrote to memory of 2548	1132	Qmcclolh.exe	36
PID 1132 wrote to memory of 2548	1132	Qmcclolh.exe	36
PID 1132 wrote to memory of 2548	1132	Qmcclolh.exe	36
PID 1132 wrote to memory of 2548	1132	Qmcclolh.exe	36
PID 2548 wrote to memory of 1312	2548	Qghgigkn.exe	37
PID 2548 wrote to memory of 1312	2548	Qghgigkn.exe	37
PID 2548 wrote to memory of 1312	2548	Qghgigkn.exe	37
PID 2548 wrote to memory of 1312	2548	Qghgigkn.exe	37
PID 1312 wrote to memory of 2348	1312	Abbhje32.exe	38
PID 1312 wrote to memory of 2348	1312	Abbhje32.exe	38
PID 1312 wrote to memory of 2348	1312	Abbhje32.exe	38
PID 1312 wrote to memory of 2348	1312	Abbhje32.exe	38
PID 2348 wrote to memory of 2968	2348	Abdeoe32.exe	39
PID 2348 wrote to memory of 2968	2348	Abdeoe32.exe	39
PID 2348 wrote to memory of 2968	2348	Abdeoe32.exe	39
PID 2348 wrote to memory of 2968	2348	Abdeoe32.exe	39
PID 2968 wrote to memory of 1516	2968	Aphehidc.exe	40
PID 2968 wrote to memory of 1516	2968	Aphehidc.exe	40
PID 2968 wrote to memory of 1516	2968	Aphehidc.exe	40
PID 2968 wrote to memory of 1516	2968	Aphehidc.exe	40
PID 1516 wrote to memory of 2164	1516	Ahcjmkbo.exe	41
PID 1516 wrote to memory of 2164	1516	Ahcjmkbo.exe	41
PID 1516 wrote to memory of 2164	1516	Ahcjmkbo.exe	41
PID 1516 wrote to memory of 2164	1516	Ahcjmkbo.exe	41
PID 2164 wrote to memory of 1364	2164	Aegkfpah.exe	42
PID 2164 wrote to memory of 1364	2164	Aegkfpah.exe	42
PID 2164 wrote to memory of 1364	2164	Aegkfpah.exe	42
PID 2164 wrote to memory of 1364	2164	Aegkfpah.exe	42
PID 1364 wrote to memory of 2432	1364	Admgglep.exe	43
PID 1364 wrote to memory of 2432	1364	Admgglep.exe	43
PID 1364 wrote to memory of 2432	1364	Admgglep.exe	43
PID 1364 wrote to memory of 2432	1364	Admgglep.exe	43
PID 2432 wrote to memory of 1000	2432	Bdodmlcm.exe	44
PID 2432 wrote to memory of 1000	2432	Bdodmlcm.exe	44
PID 2432 wrote to memory of 1000	2432	Bdodmlcm.exe	44
PID 2432 wrote to memory of 1000	2432	Bdodmlcm.exe	44
PID 1000 wrote to memory of 1676	1000	Bdaabk32.exe	45
PID 1000 wrote to memory of 1676	1000	Bdaabk32.exe	45
PID 1000 wrote to memory of 1676	1000	Bdaabk32.exe	45
PID 1000 wrote to memory of 1676	1000	Bdaabk32.exe	45

C:\Users\Admin\AppData\Local\Temp\8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe
"C:\Users\Admin\AppData\Local\Temp\8eac3c4bb2930ef64daa5802727e5eb4e06da612ab2eaf254f26d9bc23db18a8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\Pdnkanfg.exe
  C:\Windows\system32\Pdnkanfg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\Pgodcich.exe
    C:\Windows\system32\Pgodcich.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\Pgaahh32.exe
      C:\Windows\system32\Pgaahh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Pnnfkb32.exe
        
        C:\Windows\system32\Pnnfkb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\SysWOW64\Qfikod32.exe
        
        C:\Windows\system32\Qfikod32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Qmcclolh.exe
        
        C:\Windows\system32\Qmcclolh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Qghgigkn.exe
        
        C:\Windows\system32\Qghgigkn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Abbhje32.exe
        
        C:\Windows\system32\Abbhje32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Abdeoe32.exe
        
        C:\Windows\system32\Abdeoe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Aphehidc.exe
        
        C:\Windows\system32\Aphehidc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Ahcjmkbo.exe
        
        C:\Windows\system32\Ahcjmkbo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Aegkfpah.exe
        
        C:\Windows\system32\Aegkfpah.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Admgglep.exe
        
        C:\Windows\system32\Admgglep.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Bdodmlcm.exe
        
        C:\Windows\system32\Bdodmlcm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Bdaabk32.exe
        
        C:\Windows\system32\Bdaabk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Binikb32.exe
        
        C:\Windows\system32\Binikb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Bfbjdf32.exe
        
        C:\Windows\system32\Bfbjdf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Blaobmkq.exe
        
        C:\Windows\system32\Blaobmkq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Cggcofkf.exe
        
        C:\Windows\system32\Cggcofkf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Cpohhk32.exe
        
        C:\Windows\system32\Cpohhk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ceqjla32.exe
        
        C:\Windows\system32\Ceqjla32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abdeoe32.exe

Filesize
96KB

MD5
a63289816e4a8679793fd425e19d8a4c

SHA1
1a94716638bed51df2e6fedcce35b9164076f741

SHA256
ceb52506c96c6054a3076b622d382ddb3cc8de128960528399bfe5bc95458d9d

SHA512
ea836753a9c8f9613f3dcd82d985cd006a8aaa93c4f80e8e0acb81b52f78bce3eb41ff9ecca7fa482a9b0a0118412379e478b9d5736e3a71328487d6a7e35837

Download Submit
C:\Windows\SysWOW64\Aegkfpah.exe

Filesize
96KB

MD5
80f23bf1af36011db23495cf8932c531

SHA1
f510b9b31b704b0deaa2918d4e28515972c6713e

SHA256
b5cbc97657ae96161898a1c4bf3e6a210af8916939deaa186631a3934471c315

SHA512
75ad87d4c815c31e42c8706eeba11ab195c847a1953ca9d49b4476dfeddbb790726d9a0fda7f1351c56838aa96c3b077a41a49bd8d0c798b6f7ec70d6bd64e81

Download Submit
C:\Windows\SysWOW64\Ahcjmkbo.exe

Filesize
96KB

MD5
0585417dc57f0c8b60804d7d2c5c659a

SHA1
bc218a8bd84aed6515e6f73151f01a35bbfb431c

SHA256
538bf31d4947ecfb386139573612081e75d08c711eb3a558d4141cc13f5d419b

SHA512
3ae80e6c41ef034fc045502c93d1a635232f69d27c221236311fe218884fb47ccf499c6079e1119e1f109463c7ea15631a8d9f7a9d9fe6e0d259ce1febddff74

Download Submit
C:\Windows\SysWOW64\Aphehidc.exe

Filesize
96KB

MD5
f55f138e03e71efe78226bebc4aaeedc

SHA1
1e399d0ca43e5b6bc0518ded48edba68e3eeeb76

SHA256
6ff192023e1ae574d515b9c4830fcaa496fe26d8af23d94b6fc45d72980f7a84

SHA512
10b1a79d0ef1af8216314bb3a950e0b100909b863eb386f58fa668304ea9dc509a5d74bb6c4af83f60dd988ea4d1d37f9abd978f642c4d00d1adc9c0e07a4e00

Download Submit
C:\Windows\SysWOW64\Bdfjnkne.exe

Filesize
96KB

MD5
a73918a4fb13173832725f637a5fc98e

SHA1
1d1c0efa30218381a46ab5513ab7b10d664ada7c

SHA256
507c2a7551af6a407c8791aed602ffa59270e6d32bd6bd5caaeb85b221eeecc1

SHA512
987689c880f4d9360dc917676edbea45ed53b77f097086f22e71f0e26ced78fc63b8e7a4ab72c6369e0bd33f87350f364d874f695bed89394b747bd3a4d0706e

Download Submit
C:\Windows\SysWOW64\Bfbjdf32.exe

Filesize
96KB

MD5
0dc404ff410059ab3d9045ef6f43e62b

SHA1
0fc6fc883ac4e4b7499bcd896276cc7ef46b7a0f

SHA256
02d5a087b042466c19bef60b1e8b35c8b0f39c2a123e2cf6fa043c251d9fefa1

SHA512
a522f8e98b5f9d6bd54ef9f33e279d37ee7c6c5e8a831f93a3fc203de22aead09dfbfa3207ee3af2774413e4ec8448e30e739ee1aebf323a6ca85862d1a64087

Download Submit
C:\Windows\SysWOW64\Binikb32.exe

Filesize
96KB

MD5
6de7c2894d27f272794cbcd6bc62bc19

SHA1
58bf13aa7023db620b26cd1223933c87d5ef0599

SHA256
e05e368a0125c9fbaf1e0a6649f614c8052cc2ae0823430e90c82031971da546

SHA512
da78af318dd3b2ae163e9dbdb92e1c834ca3c2ac3a470472b02909438b50fee8339144426ee4d4619a4454bfa443c64910dec0e7b4d23bf71de822271dcbf474

Download Submit
C:\Windows\SysWOW64\Blaobmkq.exe

Filesize
96KB

MD5
f3564626b368040303bf796aa0413a8c

SHA1
bd0f6668d56f7c518f89a35612d2f8ded5191902

SHA256
b5e7beed376971846952ce07d65d2a58028547ec47736531968a8b3f3bf46b4b

SHA512
0ceb1b6ff806c2c9319bd2591cb0d2d23c5c977478a9663ff5dfab21761b4fa4603ea6d2eea8e2f6f014db3d13d6a152de4fdcc52cbd241ae8f0f0be7249056b

Download Submit
C:\Windows\SysWOW64\Ceqjla32.exe

Filesize
96KB

MD5
2f9dcbc604a681985ab8810d0427f1ab

SHA1
6b5196ea5e1740ac2943070a68930eb591b628f4

SHA256
d31f9b01b79b375cf0c59ab1dd854c18835cf2d6cca0fb48b5d6f4301c6043aa

SHA512
76350b780ed0fa309d7a2db875f140a6c9f65400a6f8540ce6a715709526246f72378c17a43009cc35842f6d2bdc520aedc12f7b6d13bff9400b862e2f77a935

Download Submit
C:\Windows\SysWOW64\Cggcofkf.exe

Filesize
96KB

MD5
c7ce1a7b89d6f831bf2b4d809bb5bc97

SHA1
e463d18c86af410f1e4d27f725fad123d188a0af

SHA256
fb39ffa31b46e4a44b9ca798bec54de33ba04df106dea4f894f4dada56f32250

SHA512
c599628ea013702161ed892c772780cf25828a62bdc48d29d4267e50cdbae8a6ca69588a0d4bcc268ec0df9c324c0130afc382e74dac4c8c02c95bc8e6a72c3a

Download Submit
C:\Windows\SysWOW64\Chmibmlo.exe

Filesize
96KB

MD5
e4bbf123e3ac74f41f2559af3ba8163a

SHA1
e4a713b9e7564f878c903723527f739f7959d74b

SHA256
889ebbc6b07f4a55f0434a75ee24875918f4e83ec4b59d1c3b0dad57beaffddb

SHA512
e56950d11c739f6403c691073360a84b786ed2f8c59d3566814aba2426d272bbf9f47839112175a533c7cb08ed8722282cc2be2501d6bf99eb6836dbbc81ca09

Download Submit
C:\Windows\SysWOW64\Ciglaa32.exe

Filesize
96KB

MD5
0f07ad7a576fe4a4618ebdcc25126a43

SHA1
49b27690b434c4b96e9aa4952fcb441e78107068

SHA256
3175f01460b4da271f979792fb897448774af09022a70e233b415dd7e437fc86

SHA512
813877beeda4bf4ff654648b50083755d8bab4675c27ccb6059c4dac4ab62afc1ade7989ceece76670f0d14bdac9de284b4c49ce3097127b0dbd1d7b23e48280

Download Submit
C:\Windows\SysWOW64\Ckiiiine.exe

Filesize
96KB

MD5
8c3f06356639e0c663dc62e33a276837

SHA1
51d85b7f73b02de87ea9facd7ff3e01d6a330b9c

SHA256
8b373ac89a4a2033c944da84aedf1b764b18b59bbde3fc16a23529a4f2fbffd5

SHA512
d7203967c3f6d2c4891f95ca87cd4695d9ecd8209084febe1bcfe55d3867e459c792f65e40d529e9d9e73a49e8125407db29f1485dbc2d0a44cd208c194f7391

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
96KB

MD5
cbefe3b9a4cc6202afb40fb04b0d1900

SHA1
d367436a04db40a22b9ff40dc9c2c20064fc554c

SHA256
0bac46cee6f2213041a56c25e6f52c50401336c04076012a8ea47b7ed643f8ce

SHA512
778ea29d271d36606e5723a51c69e914574c6a41fd371536ad5d10aae85c8ec5affbff6e8ee1d8760c9fd1d839789cfa45808e6b3374de800d1fe0d5eb6eb61d

Download Submit
C:\Windows\SysWOW64\Cpohhk32.exe

Filesize
96KB

MD5
b6e708e716c01cee3f6e7ba9f247e325

SHA1
0ea0cbec68d9f0532f2623213a3e2a3b741ea9bb

SHA256
2978fe74c194ae66bb62b148f5fd612a090509fa9c661322a396bd468e923250

SHA512
6444b0e6d4008539c703d1b2c14e1ef7611b81969dfc6b0f8612c85bc64e3ccf633b55a04531fb6474428e9f1bac88d5fbe6b3debf1d7a40f226fccc38cb8d16

Download Submit
C:\Windows\SysWOW64\Pfekjn32.dll

Filesize
7KB

MD5
b301b6b7171215afa15f234eab201e73

SHA1
f5ddd9f2d2b166b3d6f98e2f0a39c5a89d8e2990

SHA256
fe2fd586059e45cba645cede45a5e54beab6cf04b2cafbb813778c0339ee988b

SHA512
780630295a341398bfcd953923198cc01066b49c983704214e3a123fc922cf0e5307529db760fb7824253944b76bd859a40779240435b33d743db9e91a43aaae

Download Submit
C:\Windows\SysWOW64\Qfikod32.exe

Filesize
96KB

MD5
4746deaa203afab17c5c4e127a552502

SHA1
4fb3d5c8196d58516188573970cdac5ea537eaf9

SHA256
ea4b63f0550170a3a9813b8d1cee4c4bb7eddec449580628b736c78de92ad997

SHA512
a71f99549a0e951ef9b4314908d8704f58318d2cc264a1cc3f145bfba5a059769f842bc644c93b88ed6ced9ecdfe694c27da3845b4ce9abb861d236a2db31f43

Download Submit
C:\Windows\SysWOW64\Qghgigkn.exe

Filesize
96KB

MD5
551d67d963ab6f05dc3b31190b987caa

SHA1
9ecc36400c2104181c9c6b8a146e7dd4417dd008

SHA256
239566a2c3cabd1b775f1ec2e97224400d5b4d2b63200b0ba3c15cbfab8eec28

SHA512
51b4bca3a6f4099cf13c7e36756e7e79294dd66f883bb1234db89eacddc1aa4918f55ebbb2c954bfa086b1ecca4a02040729c01db7f9812638714ada2dde697f

Download Submit
C:\Windows\SysWOW64\Qmcclolh.exe

Filesize
96KB

MD5
b2d2a3dcb421afa0afdd9931e2b69ce0

SHA1
8dea49655281f4ad40201de537c13b21b2606434

SHA256
e2b90d45c77a2c831098b708630c393df610e1012d1eb1b3942268fdeb968c67

SHA512
020333ae41cda5bd83b9f22f63683d97ac40762b063d90b892928418aa6fea4c097b73e0a9a38b4236bb9e36789e1b0e766909cb660ebd208f53cf9ffd8c14c4

Download Submit
\Windows\SysWOW64\Abbhje32.exe

Filesize
96KB

MD5
4cb227fd2dc7e64173afed42db4fe8f1

SHA1
88dca3b877be2ec01e3fae98fe7895b4d285553f

SHA256
577b83eeae713c5e041e12009073c1dd142aa77507ff9b25d18a54d2eec72b38

SHA512
8dddde9777e8eff1ea46a45b8c19608da637e79c914f03bd253b4aceb20bdabec8b4111cefc4a7ca498bb69cacfc7086c00b225499b74cef3fbdacd7aa4b249a

Download Submit
\Windows\SysWOW64\Admgglep.exe

Filesize
96KB

MD5
2e25df8b38899789d6f0ca04c09bf7d7

SHA1
03995fd3cada02485c26890e3a227cb4a82367d4

SHA256
c908fd390e8cd41cbe8776435bda63d2149268d748e52dc36d0555dc822e16b9

SHA512
c75e8325c305701f10ba69c045ee51300043dcd5642c5183eeecbdbfc8ad992d7f29c3eafe73e06770dde7d9fb93f6474a986297fbdc7ca672605ea07cb03482

Download Submit
\Windows\SysWOW64\Bdaabk32.exe

Filesize
96KB

MD5
d7058c4ef706fbd0c142abd22d73ff93

SHA1
4438c99d1f3984996e3c151f466c8b91c241923f

SHA256
0891b0a5318fbad10997f15ecefd181bdeef649302234c0f24cc6a28f2ddca5c

SHA512
b133b54c3d0328c4ba67cf22d0a614f14abe1c06d23293918cead37cd146272a6841d1b1055dd45fe34a9b172a877ed12dbfed79c57503e809e6c5a1ad96f166

Download Submit
\Windows\SysWOW64\Bdodmlcm.exe

Filesize
96KB

MD5
e40d578112228f269de434a8d75723d5

SHA1
41693f8bc90650253cc65e6ef95a20e48aa840b7

SHA256
6c6610f9462608df87d5e0fd1ce2951eb78e2168cf45e1013d7bc32e050e1674

SHA512
05ad51afc1bd3b04096249309ef3950d16f035d9174520b4e58a074ad07f1e1c1c8096d7cb58f4357bf6981746a0c8fd973dafd0e1d91bb6152878e8ff8bfbbf

Download Submit
\Windows\SysWOW64\Pdnkanfg.exe

Filesize
96KB

MD5
022ff657ac538a45c59137aaf12bf535

SHA1
d0b21daeeca41d716cd32c0045763924459c952c

SHA256
508599a7b5afb413c5df436a0e2e6727e3c90623136986d248653630e72f0969

SHA512
df5ed630fa13b91923a1089850317e213b0387e854b7db0180ceeaf41d708b6bd02394da5751c848ed677e4ef3fcbe87b7aba6c9e9908c59f9b90acc1556552b

Download Submit
\Windows\SysWOW64\Pgaahh32.exe

Filesize
96KB

MD5
e2734b4661c17dcc408a030dd6725290

SHA1
3210a1541a08254d6171340d0eb6e33953d22e23

SHA256
8eba23453190ac24f148b2c8d52872ee6a7c11e106636cd44e7f6345e4ed87ba

SHA512
95c8215fae364aa1bed1e943bb0ad5082217068ac1316da6c6b6184370fc8cd201e1a2dfbeab8fcfda5475257c5a0273ff7c6c39f6182fcc43e9a5abccca48d7

Download Submit
\Windows\SysWOW64\Pgodcich.exe

Filesize
96KB

MD5
a735ff74d3e17e35a9d5ce244caa4182

SHA1
4f17e435d8d2e4b4a37b92b86900ae211a0995ca

SHA256
855b53195d259d5758cb451fc3e226adcdec5836b032ae353dd74e4971263e5f

SHA512
605e13b3bb27f545a9b470e10adf2f530f18baea31389c5c0b6954289c48accfde62814b8d29d15198191c1a4a72b97eabed2850eb258c477befd7ebe2b07419

Download Submit
\Windows\SysWOW64\Pnnfkb32.exe

Filesize
96KB

MD5
1d9688f9f7945575a341665c1bcf07ed

SHA1
b282351f8937bf16afab00cee8f36c090648fdbb

SHA256
195e144b10b4e981c7b6c4b3ae09709b79d7d342331985f615d3601e56de79cb

SHA512
c78dda39a7d611a8003a8665a043ce0a49c9b2aa1fec5929adf235364bff9de38c051218c1bf9d55bbed1c20435df9b5e0142dbecbb2cd4a4238f91abdc6a1ef

Download Submit
memory/1000-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-233-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/1000-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-101-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1132-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-155-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1132-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-273-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1312-130-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1312-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-125-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1364-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1364-251-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1364-205-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1516-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-176-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1516-222-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1644-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-284-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1676-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-306-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1748-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-341-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1752-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-356-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1840-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-317-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2156-27-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2156-25-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2156-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-68-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2164-186-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2164-239-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2164-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-12-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2236-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2316-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-206-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2348-152-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2348-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-145-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2356-295-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2356-329-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2356-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-353-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2380-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-327-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2432-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-220-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2432-262-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2432-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-84-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2672-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-99-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2752-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-39-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2768-83-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-69-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2852-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-160-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/3028-336-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/3028-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads