berbew | 49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
Size

243KB
MD5

f16524fac46637ca3f7d99ff18773e33
SHA1

777c7b057c5452f0b2d8bf89e4207eecfcb0e240
SHA256

49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750
SHA512

2386f30b452671aeab4b156621011f73765b7ef38d69191ee87ff83fe3252b251d6392687853b175fcd6a77f2bebf92e24f081be1228e52418252df43e206fe8
SSDEEP

3072:rtNpnPBZQkkRqKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62QC:rtYRqKzwdlU2zlNgwTnAWtlhjQC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nidmfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbagipfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nidmfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhjjgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nameek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdbdqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdbdqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhjjgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oidiekdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnafnopi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nameek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
1816	Ngealejo.exe
1516	Nameek32.exe
1952	Nidmfh32.exe
2828	Nnafnopi.exe
2204	Nhjjgd32.exe
2936	Odgamdef.exe
2532	Oidiekdn.exe
2232	Oekjjl32.exe
1684	Pbagipfi.exe
1916	Pdbdqh32.exe
2752	Pojecajj.exe
1820	Pdgmlhha.exe
2892	Paknelgk.exe
2076	Qcachc32.exe
1440	Apgagg32.exe
2508	Afdiondb.exe
680	Agjobffl.exe
2040	Aqbdkk32.exe
1892	Bnfddp32.exe
1564	Bjmeiq32.exe
2308	Bnknoogp.exe
3036	Bcjcme32.exe
2612	Bmbgfkje.exe
868	Cnfqccna.exe
2156	Cgoelh32.exe
1604	Caifjn32.exe
2804	Dpapaj32.exe

Loads dropped DLL 57 IoCs

pid	Process
1976	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
1976	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
1816	Ngealejo.exe
1816	Ngealejo.exe
1516	Nameek32.exe
1516	Nameek32.exe
1952	Nidmfh32.exe
1952	Nidmfh32.exe
2828	Nnafnopi.exe
2828	Nnafnopi.exe
2204	Nhjjgd32.exe
2204	Nhjjgd32.exe
2936	Odgamdef.exe
2936	Odgamdef.exe
2532	Oidiekdn.exe
2532	Oidiekdn.exe
2232	Oekjjl32.exe
2232	Oekjjl32.exe
1684	Pbagipfi.exe
1684	Pbagipfi.exe
1916	Pdbdqh32.exe
1916	Pdbdqh32.exe
2752	Pojecajj.exe
2752	Pojecajj.exe
1820	Pdgmlhha.exe
1820	Pdgmlhha.exe
2892	Paknelgk.exe
2892	Paknelgk.exe
2076	Qcachc32.exe
2076	Qcachc32.exe
1440	Apgagg32.exe
1440	Apgagg32.exe
2508	Afdiondb.exe
2508	Afdiondb.exe
680	Agjobffl.exe
680	Agjobffl.exe
2040	Aqbdkk32.exe
2040	Aqbdkk32.exe
1892	Bnfddp32.exe
1892	Bnfddp32.exe
1564	Bjmeiq32.exe
1564	Bjmeiq32.exe
2308	Bnknoogp.exe
2308	Bnknoogp.exe
3036	Bcjcme32.exe
3036	Bcjcme32.exe
2612	Bmbgfkje.exe
2612	Bmbgfkje.exe
868	Cnfqccna.exe
868	Cnfqccna.exe
2156	Cgoelh32.exe
2156	Cgoelh32.exe
1604	Caifjn32.exe
1604	Caifjn32.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nameek32.exe	Ngealejo.exe
File created	C:\Windows\SysWOW64\Oefdbdjo.dll	Oidiekdn.exe
File created	C:\Windows\SysWOW64\Ojefmknj.dll	Pbagipfi.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Odgamdef.exe	Nhjjgd32.exe
File created	C:\Windows\SysWOW64\Pojecajj.exe	Pdbdqh32.exe
File created	C:\Windows\SysWOW64\Hkgoklhk.dll	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Afdiondb.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Nhjjgd32.exe	Nnafnopi.exe
File opened for modification	C:\Windows\SysWOW64\Pdbdqh32.exe	Pbagipfi.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Mjpbcokk.dll	Nhjjgd32.exe
File created	C:\Windows\SysWOW64\Pqbolhmg.dll	Odgamdef.exe
File created	C:\Windows\SysWOW64\Oekjjl32.exe	Oidiekdn.exe
File opened for modification	C:\Windows\SysWOW64\Pbagipfi.exe	Oekjjl32.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	Pdbdqh32.exe
File created	C:\Windows\SysWOW64\Pdgmlhha.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Nfcakjoj.dll	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
File created	C:\Windows\SysWOW64\Adqaqk32.dll	Ngealejo.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Afdiondb.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Oekjjl32.exe	Oidiekdn.exe
File created	C:\Windows\SysWOW64\Kjfkcopd.dll	Oekjjl32.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Qcachc32.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Afdiondb.exe	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Oidiekdn.exe	Odgamdef.exe
File created	C:\Windows\SysWOW64\Incjbkig.dll	Qcachc32.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Nidmfh32.exe	Nameek32.exe
File created	C:\Windows\SysWOW64\Oidiekdn.exe	Odgamdef.exe
File created	C:\Windows\SysWOW64\Pdbdqh32.exe	Pbagipfi.exe
File created	C:\Windows\SysWOW64\Mdhpmg32.dll	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ngealejo.exe	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
File opened for modification	C:\Windows\SysWOW64\Nnafnopi.exe	Nidmfh32.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Nnafnopi.exe	Nidmfh32.exe
File opened for modification	C:\Windows\SysWOW64\Paknelgk.exe	Pdgmlhha.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Hnoefj32.dll	Nnafnopi.exe
File created	C:\Windows\SysWOW64\Odgamdef.exe	Nhjjgd32.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	Pdbdqh32.exe
File opened for modification	C:\Windows\SysWOW64\Pdgmlhha.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Paknelgk.exe	Pdgmlhha.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2796	2804	WerFault.exe	57

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafnopi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgamdef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nameek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhjjgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oekjjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdbdqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngealejo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nidmfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oidiekdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbagipfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nameek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnafnopi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpbcokk.dll"	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqbolhmg.dll"	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nidmfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nidmfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oidiekdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefdbdjo.dll"	Oidiekdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adqaqk32.dll"	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoefj32.dll"	Nnafnopi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfkcopd.dll"	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbagipfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nameek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdidmdg.dll"	Nameek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Pdbdqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgamdef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1816	1976	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe	31
PID 1976 wrote to memory of 1816	1976	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe	31
PID 1976 wrote to memory of 1816	1976	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe	31
PID 1976 wrote to memory of 1816	1976	49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe	31
PID 1816 wrote to memory of 1516	1816	Ngealejo.exe	32
PID 1816 wrote to memory of 1516	1816	Ngealejo.exe	32
PID 1816 wrote to memory of 1516	1816	Ngealejo.exe	32
PID 1816 wrote to memory of 1516	1816	Ngealejo.exe	32
PID 1516 wrote to memory of 1952	1516	Nameek32.exe	33
PID 1516 wrote to memory of 1952	1516	Nameek32.exe	33
PID 1516 wrote to memory of 1952	1516	Nameek32.exe	33
PID 1516 wrote to memory of 1952	1516	Nameek32.exe	33
PID 1952 wrote to memory of 2828	1952	Nidmfh32.exe	34
PID 1952 wrote to memory of 2828	1952	Nidmfh32.exe	34
PID 1952 wrote to memory of 2828	1952	Nidmfh32.exe	34
PID 1952 wrote to memory of 2828	1952	Nidmfh32.exe	34
PID 2828 wrote to memory of 2204	2828	Nnafnopi.exe	35
PID 2828 wrote to memory of 2204	2828	Nnafnopi.exe	35
PID 2828 wrote to memory of 2204	2828	Nnafnopi.exe	35
PID 2828 wrote to memory of 2204	2828	Nnafnopi.exe	35
PID 2204 wrote to memory of 2936	2204	Nhjjgd32.exe	36
PID 2204 wrote to memory of 2936	2204	Nhjjgd32.exe	36
PID 2204 wrote to memory of 2936	2204	Nhjjgd32.exe	36
PID 2204 wrote to memory of 2936	2204	Nhjjgd32.exe	36
PID 2936 wrote to memory of 2532	2936	Odgamdef.exe	37
PID 2936 wrote to memory of 2532	2936	Odgamdef.exe	37
PID 2936 wrote to memory of 2532	2936	Odgamdef.exe	37
PID 2936 wrote to memory of 2532	2936	Odgamdef.exe	37
PID 2532 wrote to memory of 2232	2532	Oidiekdn.exe	38
PID 2532 wrote to memory of 2232	2532	Oidiekdn.exe	38
PID 2532 wrote to memory of 2232	2532	Oidiekdn.exe	38
PID 2532 wrote to memory of 2232	2532	Oidiekdn.exe	38
PID 2232 wrote to memory of 1684	2232	Oekjjl32.exe	39
PID 2232 wrote to memory of 1684	2232	Oekjjl32.exe	39
PID 2232 wrote to memory of 1684	2232	Oekjjl32.exe	39
PID 2232 wrote to memory of 1684	2232	Oekjjl32.exe	39
PID 1684 wrote to memory of 1916	1684	Pbagipfi.exe	40
PID 1684 wrote to memory of 1916	1684	Pbagipfi.exe	40
PID 1684 wrote to memory of 1916	1684	Pbagipfi.exe	40
PID 1684 wrote to memory of 1916	1684	Pbagipfi.exe	40
PID 1916 wrote to memory of 2752	1916	Pdbdqh32.exe	41
PID 1916 wrote to memory of 2752	1916	Pdbdqh32.exe	41
PID 1916 wrote to memory of 2752	1916	Pdbdqh32.exe	41
PID 1916 wrote to memory of 2752	1916	Pdbdqh32.exe	41
PID 2752 wrote to memory of 1820	2752	Pojecajj.exe	42
PID 2752 wrote to memory of 1820	2752	Pojecajj.exe	42
PID 2752 wrote to memory of 1820	2752	Pojecajj.exe	42
PID 2752 wrote to memory of 1820	2752	Pojecajj.exe	42
PID 1820 wrote to memory of 2892	1820	Pdgmlhha.exe	43
PID 1820 wrote to memory of 2892	1820	Pdgmlhha.exe	43
PID 1820 wrote to memory of 2892	1820	Pdgmlhha.exe	43
PID 1820 wrote to memory of 2892	1820	Pdgmlhha.exe	43
PID 2892 wrote to memory of 2076	2892	Paknelgk.exe	44
PID 2892 wrote to memory of 2076	2892	Paknelgk.exe	44
PID 2892 wrote to memory of 2076	2892	Paknelgk.exe	44
PID 2892 wrote to memory of 2076	2892	Paknelgk.exe	44
PID 2076 wrote to memory of 1440	2076	Qcachc32.exe	45
PID 2076 wrote to memory of 1440	2076	Qcachc32.exe	45
PID 2076 wrote to memory of 1440	2076	Qcachc32.exe	45
PID 2076 wrote to memory of 1440	2076	Qcachc32.exe	45
PID 1440 wrote to memory of 2508	1440	Apgagg32.exe	46
PID 1440 wrote to memory of 2508	1440	Apgagg32.exe	46
PID 1440 wrote to memory of 2508	1440	Apgagg32.exe	46
PID 1440 wrote to memory of 2508	1440	Apgagg32.exe	46

C:\Users\Admin\AppData\Local\Temp\49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe
"C:\Users\Admin\AppData\Local\Temp\49e63d20e99ff3da5ce3c4948bfd7051c5db1ae48f7002d8e602a17fa12d0750.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\Ngealejo.exe
  C:\Windows\system32\Ngealejo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\Nameek32.exe
    C:\Windows\system32\Nameek32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\Nidmfh32.exe
      C:\Windows\system32\Nidmfh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\Nnafnopi.exe
        
        C:\Windows\system32\Nnafnopi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\Nhjjgd32.exe
        
        C:\Windows\system32\Nhjjgd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Odgamdef.exe
        
        C:\Windows\system32\Odgamdef.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Oidiekdn.exe
        
        C:\Windows\system32\Oidiekdn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Oekjjl32.exe
        
        C:\Windows\system32\Oekjjl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Pbagipfi.exe
        
        C:\Windows\system32\Pbagipfi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Pdbdqh32.exe
        
        C:\Windows\system32\Pdbdqh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 144
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agjobffl.exe

Filesize
243KB

MD5
75115118ffb2d761e0226deb3642c133

SHA1
cde25167054f6199bd289aa183d53a9136d738fd

SHA256
455f7509a73591383071650a8e95b259ebcfd6428cae92950e260cf556518f08

SHA512
37e44b5c7317ed6bf943a3cf062c8208cda5844cfab80c4fd52cc8d0d7c7e2918639028d38adfa471e457da2b4c39ea0548a4f95c201287ea1a1bb982740e4c0

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
243KB

MD5
aa6ac1f5496a929e871cc2a77ec2d28a

SHA1
8e34f20f8d224a307a77813d44324cfe4d86ed7c

SHA256
43eddad8fa6eeedef748ed21fb7997e027a5621df9bbb1bc2f0f6c89bf2d7388

SHA512
a8d8a473e9cbe5fc9099842a31baa0b076732c9804dae691af0b5e73e3aecdca96c48b79abb0a9949a0bcdf4651edb6510a750bc44488dc88cb795a3325341ee

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
243KB

MD5
eb38d73e9c307e49ea130efd3dcad79c

SHA1
2afe8b7dc110bf3698928426ef677ecfa4781afc

SHA256
b1c0ba36d035c84f3fbfe41fd15e523b77a3efd91ebc2bebe9dcb94c0e86a6fd

SHA512
6383699ba3afc704a09a06137478ac17774fd866220e06b561d6c209ce4c82bfde7bef118e491e5798137deb1f98a5f19841b98242010d7e385590a3b4f9e9ab

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
243KB

MD5
026a206fac34b2309585e6f1648f7235

SHA1
6d894b4309cee367b898b7a83b8268b5b0f1a17b

SHA256
0c7237febceffd1a1131b20f1dad1705e4bc5f24afc25c38e0aca70d6601a785

SHA512
3a9b4751e28877259a6ec87d57f04093e8b708e8946d373be000a783889ac53ab395c1399085353c54506ebafb877c8576492627f435c249d23a0e61f335ddbc

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
243KB

MD5
2fd4309a800f9a982ac3c3822017d12c

SHA1
c19af2238d8eabca52b1fe4e671ab3f3fefc35b0

SHA256
0085b08faed39492ade3de555d2d12782408a4954b8d81353f54f49f0e6689d7

SHA512
6f4ec2f03d60eb5040f03992b5a07bbf1d547c948868ceae26c3e6c81ad8bd0c2308283a16c72bfc574a1bc9647f7c6dddfc5a1652f4fdd167620a7f90a97c02

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
243KB

MD5
47d3c0b6f9a9d38553508234e036f9c5

SHA1
bc82bc1e149501b59ea4928c869e2507d6ca4d3e

SHA256
f101fc8c6bccc75497a99dc5b77234c9325dc7db1570893e83f44101e17cefc9

SHA512
edca5eb9f43883529bc3fe6ee173c71e14c311834fcbd6189e27cbf1c375a8c33263ec392871e4467f6a5ba491d0d73afe723e4089588ccd44103d515f864e4f

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
243KB

MD5
7d4478a3f66b7728feec4815a092c040

SHA1
52a7fdfcb111a30e42d2232f5a540f3b1e7d0cac

SHA256
355001b21de424211c283fd50b4eb68e1b88a61c1c7983c79def520839e5da3d

SHA512
f770f2628bd154b850420d26b9c0fc93714d9911a203b5c5a778b73dffcdc93e5580f00b17ca2f73c8e751b3c42596a4d9fe1f4f6ff82365ee60e52675fe1c91

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
243KB

MD5
70452284188b76c6165f1d1c0465c1da

SHA1
3f9ef87f3be2425f583c88b681155ee14e256731

SHA256
99fc82217361203c90f40c94df304fe514f355520cc5f8a3bc0c0791b7188c92

SHA512
dc39d61b22265cf98ac4362ca3b8cf500d28cee02833f11321640f66121ecba08d1ef36de8dd02af5be98ba0056fd444b9691f10130ae3d774f042b99521208e

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
243KB

MD5
3b62ee18ca67d50e826e2a39075ec818

SHA1
e557484187289111e65d5ad0c911a7c9880e178b

SHA256
178f7fbdd90780562b10aac16b87bd3795379423d77b6dd8e0347b0a35cbd65b

SHA512
f4d831af799994de975b369ab00539169a446de4c49fa8678d9ff6e2fca8800790ca174ccd2c0895138ce7d1b5a11c473eae1e5711c56159000ed862df4dacb7

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
243KB

MD5
61dde9b5bfe1e33fa8399404b88967dc

SHA1
37ee97513eaed3795e2481c49b8328c0a89d30c6

SHA256
87de0707057e221b6cbdf287a2efd6c536239ce67d36c4c0e2659dceb7462aa2

SHA512
5580a83fe7040c3e5c7347a2abea9af43f5732ee611eff6fd02369817461f562dadcccaa867da8173f085b7b98fd34e966ab295850f76be7efb24ab3e4ec6011

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
243KB

MD5
8a8961dd4e04984e318bc5c36c46af27

SHA1
bb0a666bd843bef2db98019fe13fc554e6554e3d

SHA256
591addf02d993e56ec63b9db3546684a1da8b827c393d9a99973c8c3b2408970

SHA512
84b8d309dbcb65c1e3b5651d767c38fa8ee5d57cbcf16c6029d22e1519a1da15872b995f517f83650979e50dea2aff33b55366cd43eef6afd55694520eba01a4

Download Submit
C:\Windows\SysWOW64\Nidmfh32.exe

Filesize
243KB

MD5
a26bee2cabb4aa58ae52392817915662

SHA1
2b38e12d3d0cdaebe9dbda92bd543dddb99a4c3e

SHA256
5206b05dc33db683b272cf59aade76c85f3938f0510e6f0d002790c738ddfe86

SHA512
b252eb86b29753f8ccf51870da98889aafe08c47d77d41f2a8353bdf33f863e7c61c3221f2f1a444537e2e3ef763cadd52d418a1dd0594d89077257f3fed5915

Download Submit
C:\Windows\SysWOW64\Nnafnopi.exe

Filesize
243KB

MD5
9d035982667dbced43693c3582de2801

SHA1
f6ab4e5f23a05c19e352b94128c18e4946808a59

SHA256
36f6eeac656f99fdced5e3f24e8d5e9258be1c910d4941a457168f37c7aca11f

SHA512
d54b5e156aabdade04540bf25c136e368dffe6a36358854c1ad772d0da72f2b6b1af83c6d83861e2be85d3070688fc6d0c8a2094209ff213a52d6fb0bd1eb01b

Download Submit
C:\Windows\SysWOW64\Odgamdef.exe

Filesize
243KB

MD5
0c2a2e3d2a694579351c6a3501f9aed9

SHA1
81afaaa7409df77427b857856c11116bc8bee61d

SHA256
f3d22726aed6578985bffe92057aff932e38f181cb7a94d6408f11bbefefdb36

SHA512
ac1b053160e6c0b2cecc08e94867376e36066b5c84f30da8832c293b9902e179a62627f888cd3cc6b259d9b78cc7bad280dda3e4b8b094ed7f8ebc9ecd1b41b4

Download Submit
C:\Windows\SysWOW64\Oekjjl32.exe

Filesize
243KB

MD5
101d3e3f079e236b000b3d603d21902b

SHA1
de66241d3b5a607ddcc1706c8e9d5e26a5c9cc1e

SHA256
a7d7c59af9570412f1ba672ce6a157f03195a50a09051d466d82ee27c8be4190

SHA512
eacca6b4a3bc20ee31bcba07e1a936ab3d35990f24c66bee7ac0b3671fc8439d38e9ae71f500ef2f41e9b364276aa0aa0019d416cf1057a15f8fd91f5927cc3b

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
243KB

MD5
32a580cd527597d48561882adf29b1ba

SHA1
801473480efb88d5c06e86ae06ff29f393f29b3a

SHA256
f1d535ca70c90815907fdee0d740073a5be47b637a6f7ecd05e510b845068417

SHA512
fde526d1b6008bb70b800ae35c6a5a3b7b103d069cd8711736752857f222e0d084f163aec5eb37d6cbc00c0d5a5ab7bffeb327bec50ac2acbc7d99ccbfc81e10

Download Submit
\Windows\SysWOW64\Afdiondb.exe

Filesize
243KB

MD5
410dd941de136902f868bb4983c49d25

SHA1
b8b7418bf019957ce76b55cd78f882f1853fa354

SHA256
0e47f4b172dd72cec9f5e81a6251e7ced9ffb4d4ebd66f67128fd33a9e8cddd3

SHA512
a7e953b896bacce36e094f3b230a46b26f40cec5dd7b20b09e1372a7d0e737116dd7088db0303ca1431ed51717c55e1dfb5251eb1b44d192393e69d4f3019068

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
243KB

MD5
ed05db804919bfc2492700eeb47088b0

SHA1
97c05dc95c943c07703c3c2a66567e2b4988cf7d

SHA256
4f833e2c068ac8d7b9f0da09a6e450e3d5eb881a7b389ac313795ff7dc9eced8

SHA512
fe2d920cd3c86a55d377a74919d2c51da6ddfecb9a888fbbb7cdcce01e68b2918213055c41025d8465c8bd2dfe47ac9db4ce258b4d838b3914361b09da0405fe

Download Submit
\Windows\SysWOW64\Nameek32.exe

Filesize
243KB

MD5
2b4b9c2234a71f6d0510779c7458e5f8

SHA1
9666417fc0b43921e16c6d0d29888e1ce810dd04

SHA256
0e5e5746e17d0aa821e393c535de1698824423fe4792218e779e479bf6b8d756

SHA512
49a42dba5bedca8a8c071521541ad64c63e83865621b994df2dcd7fc6fa6926945311fa3479df1520db75df9d81ed7a917f849b16cf4182c354d77d5b5666b27

Download Submit
\Windows\SysWOW64\Ngealejo.exe

Filesize
243KB

MD5
e5ad9f736c6965d2a7cf7a27d5214773

SHA1
ffca711e6aa3b558a353b01dab2f2581712f0ba7

SHA256
e10af7f391d6253027497a69a2fe3e3df92ac0d4eec7022fe026f5c6d81d96f6

SHA512
00e618a4efce73654f8ead7542426234679e38135c27f6ad0b412be4215a958bf5e45defcabaa2a6b5ddf4f53ab6453a12125a1662862107c55f6167155949e4

Download Submit
\Windows\SysWOW64\Nhjjgd32.exe

Filesize
243KB

MD5
dff4c0322894a0214a25c489a4d8e0a1

SHA1
c79f83566406377c35736563670ffa06a49d88ad

SHA256
eb5d6743762559ca19d01c7a5fb8d8430ebe450f78a9c504183ae33b8fbff0dd

SHA512
a3cdf8e4a4b7270fa20e1aaa7609c83d5fc7aa165e19806b02a29e110396e6e2dd8fa4ae81a1f3b435d17b7960d3268a9ec8d584fc384cebd77fc9d4d4c4014c

Download Submit
\Windows\SysWOW64\Oidiekdn.exe

Filesize
243KB

MD5
2a0a747e6c0bb1af9abb68028f0f565a

SHA1
047ce61b5fdb7ffa0f98d1b790f669afcbd438f9

SHA256
e43debc4ee04e54239e7094a264116f5c2d48147c999357f33aff177b2252c4e

SHA512
5cfaa3b26172559e4e2d9c24e02fb76afa05bf96454bc79e8a410de2073e10195f46ed3c5212063f4ffc3a5409e7dbcab06e9a84649c23d835e481cc145a80ea

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
243KB

MD5
9816cb1fbd3b0fd13049bbbe4c08d8ec

SHA1
3802f3cd4edfc02c4eaa6a928310edfd9f79f974

SHA256
03322fd5becb0da1f6398c44e650d3039d8d5c44742e1a5f23b2d889866c452f

SHA512
986527bbaac6c464352897116153955e4f54c71516356933b205678aa53ddaae4d40d40a03c6678af3f7cf308df7c2eae7e683d16970e65832e12729c47794e9

Download Submit
\Windows\SysWOW64\Pbagipfi.exe

Filesize
243KB

MD5
a8a12c73f3577dc65d0fcdd00af5868b

SHA1
549ef133630a916ce2c6390bd67df087c4138db8

SHA256
9ab0c84bc04da7c2dac0a8d1eee2ee7a7fa5b3639fd5dac5bfe9f16e5b13aad1

SHA512
c473c032f651d029b8135939d944401ab189a4eb7b6d4006e1550ca41c96767aa0ded5e4f9fc923f3aa719e907b44b102dc93debd1bd4b4153884342cb9063d0

Download Submit
\Windows\SysWOW64\Pdbdqh32.exe

Filesize
243KB

MD5
847dd4238df444bb5d977bb1dd31a112

SHA1
ca072417723394e3ea9f901802f01312cfbb74cd

SHA256
23f65a4083c4b7a28ae11734a8f321a56bcf880643d123e128f119910bfe6f81

SHA512
60c1bae46f1237af5f2bf700605962846839ad8606165217c5184a2b36c96d368c4ac5515bfbe9f4b290f2fd0153afd125a01bbf3497a1a7f855abe92b023995

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
243KB

MD5
4cfcb1e8b348ee61d1b0afba2fcc733e

SHA1
eb677aaa5bea242b7940b102beac6f435125162f

SHA256
7eabb3bc505b5707c976576022439846177b7653190738d37a6fafcb5e6daee4

SHA512
e9f191de47cb7ce75710cf1ab6c392c5bfc5935db8e5bf62593538e9cccf930aaf94ff0fcf860781bbb76c559ebb312de96cf2b20ebca6cf86aeb2050724c96d

Download Submit
\Windows\SysWOW64\Pojecajj.exe

Filesize
243KB

MD5
8a42619514f9ac1bd8e7d1187f44176c

SHA1
d6ff30051458525fd59aa313be6935db0131a70d

SHA256
75ac7e581cc124203e91a98cd7aff09457fbc09bccc48fd6c5abee71861a2653

SHA512
122204ad872c69ba225ec3e47de69a58f98f93a1bd578d1e40c6b549e4491ce875ebe9f153e3a12a6194ea1ab42847736b347d30c08a736e77110cb3ffa394a6

Download Submit
memory/680-380-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/680-234-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/680-233-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/868-311-0x0000000001F60000-0x0000000001FC7000-memory.dmp

Filesize
412KB

Download
memory/868-310-0x0000000001F60000-0x0000000001FC7000-memory.dmp

Filesize
412KB

Download
memory/868-343-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/868-303-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1440-198-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1440-206-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1440-211-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1440-381-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1516-383-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1516-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1564-266-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1564-352-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1564-267-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1564-257-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1604-323-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1604-348-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1604-332-0x0000000001F60000-0x0000000001FC7000-memory.dmp

Filesize
412KB

Download
memory/1604-351-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1604-333-0x0000000001F60000-0x0000000001FC7000-memory.dmp

Filesize
412KB

Download
memory/1684-378-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1816-375-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1816-18-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1820-159-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1820-166-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/1820-167-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/1820-390-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1892-255-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1892-246-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1892-256-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1892-354-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1916-382-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1916-128-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1952-374-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1976-387-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1976-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1976-17-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2040-235-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2040-245-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2040-244-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2040-377-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2076-392-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2076-196-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2076-184-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2156-344-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2156-312-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2156-322-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/2156-321-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/2156-337-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2204-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2204-379-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-389-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-103-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2308-341-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2308-277-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/2308-342-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2308-271-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2308-278-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/2508-391-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2508-213-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2508-224-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2508-223-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2532-90-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2532-376-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2612-294-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2612-299-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2612-339-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2612-349-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2612-300-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2752-384-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2752-158-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2804-336-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2804-346-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2828-51-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2828-388-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2892-169-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2892-182-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2892-385-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2892-181-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2936-386-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2936-77-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3036-340-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3036-288-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/3036-279-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3036-347-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3036-289-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads