berbew | 581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
Size

320KB
MD5

fe15935ca93791249cd1644e61791b1b
SHA1

77df88854dc5dff98dc6f4b5d76dbc065d049211
SHA256

581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50
SHA512

fad19898c26f997119220305d0d6766730f016f0b61b61d0217f85ce396e0106265e7d496310027706411e47e15d20ba710a067cd9486aa20c1d2a8cf8237578
SSDEEP

6144:+PG6kqGPJu6cZLAYCtE07kli0KoCYtw2B0Ddu9szWfx09UBIUbPLwH/lLOUaR/N4:+NkfJPXYJ07kE0KoFtw2gu9RxrBIUbP+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
1596	Qkfocaki.exe
916	Qgmpibam.exe
2708	Accqnc32.exe
2692	Ahpifj32.exe
2872	Ahbekjcf.exe
2672	Achjibcl.exe
3048	Aficjnpm.exe
2296	Akfkbd32.exe
2096	Bkhhhd32.exe
1704	Bccmmf32.exe
840	Bmlael32.exe
1300	Bgaebe32.exe
2648	Bchfhfeh.exe
2380	Bffbdadk.exe
2416	Bkegah32.exe
2988	Ciihklpj.exe
1620	Cbblda32.exe
1536	Cgoelh32.exe
1712	Cpfmmf32.exe
1752	Cbdiia32.exe
2008	Cgaaah32.exe
1676	Cnkjnb32.exe
276	Ceebklai.exe
1972	Cgcnghpl.exe
1584	Calcpm32.exe
1060	Cegoqlof.exe
2704	Dmbcen32.exe
2712	Dpapaj32.exe

Loads dropped DLL 56 IoCs

pid	Process
2072	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
2072	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
1596	Qkfocaki.exe
1596	Qkfocaki.exe
916	Qgmpibam.exe
916	Qgmpibam.exe
2708	Accqnc32.exe
2708	Accqnc32.exe
2692	Ahpifj32.exe
2692	Ahpifj32.exe
2872	Ahbekjcf.exe
2872	Ahbekjcf.exe
2672	Achjibcl.exe
2672	Achjibcl.exe
3048	Aficjnpm.exe
3048	Aficjnpm.exe
2296	Akfkbd32.exe
2296	Akfkbd32.exe
2096	Bkhhhd32.exe
2096	Bkhhhd32.exe
1704	Bccmmf32.exe
1704	Bccmmf32.exe
840	Bmlael32.exe
840	Bmlael32.exe
1300	Bgaebe32.exe
1300	Bgaebe32.exe
2648	Bchfhfeh.exe
2648	Bchfhfeh.exe
2380	Bffbdadk.exe
2380	Bffbdadk.exe
2416	Bkegah32.exe
2416	Bkegah32.exe
2988	Ciihklpj.exe
2988	Ciihklpj.exe
1620	Cbblda32.exe
1620	Cbblda32.exe
1536	Cgoelh32.exe
1536	Cgoelh32.exe
1712	Cpfmmf32.exe
1712	Cpfmmf32.exe
1752	Cbdiia32.exe
1752	Cbdiia32.exe
2008	Cgaaah32.exe
2008	Cgaaah32.exe
1676	Cnkjnb32.exe
1676	Cnkjnb32.exe
276	Ceebklai.exe
276	Ceebklai.exe
1972	Cgcnghpl.exe
1972	Cgcnghpl.exe
1584	Calcpm32.exe
1584	Calcpm32.exe
1060	Cegoqlof.exe
1060	Cegoqlof.exe
2704	Dmbcen32.exe
2704	Dmbcen32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Qgmpibam.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Accqnc32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Hcopgk32.dll	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Jpefpo32.dll	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Ahbekjcf.exe	Ahpifj32.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Fpbdkn32.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciihklpj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1596	2072	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe	31
PID 2072 wrote to memory of 1596	2072	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe	31
PID 2072 wrote to memory of 1596	2072	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe	31
PID 2072 wrote to memory of 1596	2072	581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe	31
PID 1596 wrote to memory of 916	1596	Qkfocaki.exe	32
PID 1596 wrote to memory of 916	1596	Qkfocaki.exe	32
PID 1596 wrote to memory of 916	1596	Qkfocaki.exe	32
PID 1596 wrote to memory of 916	1596	Qkfocaki.exe	32
PID 916 wrote to memory of 2708	916	Qgmpibam.exe	33
PID 916 wrote to memory of 2708	916	Qgmpibam.exe	33
PID 916 wrote to memory of 2708	916	Qgmpibam.exe	33
PID 916 wrote to memory of 2708	916	Qgmpibam.exe	33
PID 2708 wrote to memory of 2692	2708	Accqnc32.exe	34
PID 2708 wrote to memory of 2692	2708	Accqnc32.exe	34
PID 2708 wrote to memory of 2692	2708	Accqnc32.exe	34
PID 2708 wrote to memory of 2692	2708	Accqnc32.exe	34
PID 2692 wrote to memory of 2872	2692	Ahpifj32.exe	35
PID 2692 wrote to memory of 2872	2692	Ahpifj32.exe	35
PID 2692 wrote to memory of 2872	2692	Ahpifj32.exe	35
PID 2692 wrote to memory of 2872	2692	Ahpifj32.exe	35
PID 2872 wrote to memory of 2672	2872	Ahbekjcf.exe	36
PID 2872 wrote to memory of 2672	2872	Ahbekjcf.exe	36
PID 2872 wrote to memory of 2672	2872	Ahbekjcf.exe	36
PID 2872 wrote to memory of 2672	2872	Ahbekjcf.exe	36
PID 2672 wrote to memory of 3048	2672	Achjibcl.exe	37
PID 2672 wrote to memory of 3048	2672	Achjibcl.exe	37
PID 2672 wrote to memory of 3048	2672	Achjibcl.exe	37
PID 2672 wrote to memory of 3048	2672	Achjibcl.exe	37
PID 3048 wrote to memory of 2296	3048	Aficjnpm.exe	38
PID 3048 wrote to memory of 2296	3048	Aficjnpm.exe	38
PID 3048 wrote to memory of 2296	3048	Aficjnpm.exe	38
PID 3048 wrote to memory of 2296	3048	Aficjnpm.exe	38
PID 2296 wrote to memory of 2096	2296	Akfkbd32.exe	39
PID 2296 wrote to memory of 2096	2296	Akfkbd32.exe	39
PID 2296 wrote to memory of 2096	2296	Akfkbd32.exe	39
PID 2296 wrote to memory of 2096	2296	Akfkbd32.exe	39
PID 2096 wrote to memory of 1704	2096	Bkhhhd32.exe	40
PID 2096 wrote to memory of 1704	2096	Bkhhhd32.exe	40
PID 2096 wrote to memory of 1704	2096	Bkhhhd32.exe	40
PID 2096 wrote to memory of 1704	2096	Bkhhhd32.exe	40
PID 1704 wrote to memory of 840	1704	Bccmmf32.exe	41
PID 1704 wrote to memory of 840	1704	Bccmmf32.exe	41
PID 1704 wrote to memory of 840	1704	Bccmmf32.exe	41
PID 1704 wrote to memory of 840	1704	Bccmmf32.exe	41
PID 840 wrote to memory of 1300	840	Bmlael32.exe	42
PID 840 wrote to memory of 1300	840	Bmlael32.exe	42
PID 840 wrote to memory of 1300	840	Bmlael32.exe	42
PID 840 wrote to memory of 1300	840	Bmlael32.exe	42
PID 1300 wrote to memory of 2648	1300	Bgaebe32.exe	43
PID 1300 wrote to memory of 2648	1300	Bgaebe32.exe	43
PID 1300 wrote to memory of 2648	1300	Bgaebe32.exe	43
PID 1300 wrote to memory of 2648	1300	Bgaebe32.exe	43
PID 2648 wrote to memory of 2380	2648	Bchfhfeh.exe	44
PID 2648 wrote to memory of 2380	2648	Bchfhfeh.exe	44
PID 2648 wrote to memory of 2380	2648	Bchfhfeh.exe	44
PID 2648 wrote to memory of 2380	2648	Bchfhfeh.exe	44
PID 2380 wrote to memory of 2416	2380	Bffbdadk.exe	45
PID 2380 wrote to memory of 2416	2380	Bffbdadk.exe	45
PID 2380 wrote to memory of 2416	2380	Bffbdadk.exe	45
PID 2380 wrote to memory of 2416	2380	Bffbdadk.exe	45
PID 2416 wrote to memory of 2988	2416	Bkegah32.exe	46
PID 2416 wrote to memory of 2988	2416	Bkegah32.exe	46
PID 2416 wrote to memory of 2988	2416	Bkegah32.exe	46
PID 2416 wrote to memory of 2988	2416	Bkegah32.exe	46

C:\Users\Admin\AppData\Local\Temp\581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
"C:\Users\Admin\AppData\Local\Temp\581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\Qkfocaki.exe
  C:\Windows\system32\Qkfocaki.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\Qgmpibam.exe
    C:\Windows\system32\Qgmpibam.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\Accqnc32.exe
      C:\Windows\system32\Accqnc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:276
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
320KB

MD5
9686a8625aea53212ac9b617d1f10e8b

SHA1
be0a860ec7934dde52f3e63be5e827d3ac33f282

SHA256
04398dfde58b2f2a87dadffe76d9f74602a925e8e07fd965729bc700d4720017

SHA512
53acf6c95ebf5ff8cff35de5cd398f5d55d3c65790a8f6eeab9b9efba0a88f2ad6ee8a505f1777c57948c9970b01e8d9eb283006f264b99539de32d3fdd27afe

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
320KB

MD5
6037c353a19e4f4ab02e22ed5aa51daf

SHA1
1a1e69d04dfdb8da65a766957184f56678afc39a

SHA256
baf1281ec395600c2757d7aa470637b32e9b71dff8d8088afb47fef8e63efdee

SHA512
ba65b0ba3303f3bbd1e0b05bad442061ce4ac6f265e57a6e8237a4bf70a2fed2e69f940deaac4d60a9a840e3cfcc0aa87e4964f0e19568238b145338cde61a4d

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
320KB

MD5
3e5d2a5b2c7881270c74d8ffd7d54e9f

SHA1
86f32203ebb0ccba2827db41264c38c4df74db8b

SHA256
fe01b8812257aa292971ef55fb77d1fd573ec099892981d351172496f74c5596

SHA512
57bcc802eb131b0c5a09354f3ec254cf66ab4a906dac18fe2f33f246c042bac69e4fd929ad473a0b9be55ca6b4c84dcf29761ca7eab8713009af20a8b34af77b

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
320KB

MD5
a2dd42bc22db91eb37514591e28975dd

SHA1
4f22fb2601eee835e4afddb8b3db183c185869ae

SHA256
ad72ca3e443e54ecd78869ddb932afa3aaa3f039b506436163ed22e7e3ef5d8c

SHA512
25c38b93fa4cee546b7e68bf5e6ec4dce11da796eead72bc9c17ce34cbf83468f2516d11204d9829f190a528ec81597fe448e83a8d5c3f58deebfad9b5855df9

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
320KB

MD5
01386f6c9aee73604419ea00230a0f76

SHA1
2ef4109c736f3bb98b85fe24967c8712653b6a2b

SHA256
87a6864a44b2b445a2751d713b0ce67995e1fbb9c2f50503ded092e30b36b704

SHA512
43898d64088c2ddde2b967f73a905b0169d49b994786934dfa25c10319b32eb796dbf035f01472f461822e4c527469a9081afff5948b2028438280336f79c3e5

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
320KB

MD5
07b92651d4ef2dd96cbb4f7b76388a71

SHA1
ee8c259a501430362d3f5d8c3b4a15cce7efad0d

SHA256
852e7e03a20894939680a03c692142d486cfd95ed7d956dbda1746b0ff5194e6

SHA512
dce77fa0e778ad3211ed744411769a06d8b339f40636d2ca3d7c7b182d9ddc65b1778d2bb3e9c151a55fcdfe2de893d88cbcbcbbe1d4be4bdd77e68f4e877b06

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
320KB

MD5
bb93db839ce93ba582b9f792ea390db7

SHA1
ad555dfb0c6ed15d60c83e7dcffa951bcbe985be

SHA256
b5605632a502e06687c304bfcbd135b04c6b3e69482aa192d0b75888cfa8c564

SHA512
f439a593773a297a758000fd1c2f9cc55731b0932e3cd7f073be743a5172d3d2509903a32b200849483006c1fbb6fd1eb96a9a4c53a3b110d79da23cda9b9b3d

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
320KB

MD5
7b068c3c6f169517dbc4991521666675

SHA1
622c42b1c1b81d4f0da21fc8bcd9e91e3d88227e

SHA256
ac820d536f6ee92e1893e834fb32d6450aded1f94ba78b32daf5d1b37c052819

SHA512
541a2906ee8bde14a7e9a43173c1e4267ce436056c8a25a1d2cd41b296b55da39f80b3ea3a5dab31df61afab9f9bef79f9ea3164e603e7edeb3e3529906432e7

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
320KB

MD5
ddc15bbc63f6a09d1400c9616677f42f

SHA1
905de35a55754c6078e2fdc09d8a55c9554bf8ed

SHA256
8f5aa9f883df6be953096c4dff72a2971af949bf901593bcb1cfb9d6a827696d

SHA512
ed4f1c6678bc432b33a585c3654fb80285df8d34adc4f07083bf23a16400d04dbe320b761708bdc8634d3b703deb423122e6433611289b87b97a45e0f1b27f95

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
320KB

MD5
75aa161ac3524b6752737698bcfe479c

SHA1
8d47d180fbee6c816690fbdb651fa7f6a386019e

SHA256
6437abcba8b5d6e000ab0688ad1f83a36bb626dd6c458f65109e06c0f511edf8

SHA512
9e761564f6ceaf3960c853717c5ee166aa8a1d730ef8f8f0a1ecb77914e44cc200586e6c551b6872a85bff4628290824c5e96a4b349ffc07dd85b7f5b73f859d

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
320KB

MD5
f9d6ecf675e94360dd10100e2919cc2f

SHA1
7a49d5b2257d4fa68a929aa9790878986c8c7b52

SHA256
7f10d74c4d04c3a811a40d4afd3d6dda5791897851b55aca3a2bc4dff9a03188

SHA512
628d342e2775084286ed3fa0ea85ef69afa6ab1d65232773fcb5ec1eebf74290e0632c495102a27eca537b171d4ce485d28b25d5b0bc6e8fab2a3a0a53598b10

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
320KB

MD5
e3831c98559e3ac93f309e9487ec1d22

SHA1
7ae03a6c2fa6b11bf215cfa2176c5d89ae6fdfc6

SHA256
ab1f08819b65f1d55ab7f8b531dec37937bc66f20ee1689d55f262095eb024fb

SHA512
874d18c2647de6ca83886b8719f762c19005cd97803b4dd6f121339d046565bd58b61d2b4c7bab8cbadb74ac93578d58b55f1667f7dcd2945fd54f0cc0aa89f9

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
320KB

MD5
2337653e465b615c69b71786a3aea3ca

SHA1
657f0b094292f08140aecbb3178bdc55ef4e7b03

SHA256
f86af43f8c02451b9d85d716a211cb6c2890efdec6fe25595cc30d42c8ffcbf4

SHA512
275c4ff5ceb754919b772e94995a86c44a97a2ce7cdc3af56d680d8d00e08d8bdc5a534f7afc38268ae1674b9e32c9d69711db8a51ce374bbdf0bacda7a17120

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
320KB

MD5
ff78b608bfee5c2fcb103deee2815558

SHA1
8e5cde924e8c13341fd3b2ae44c90f212ba4a158

SHA256
843e4c8482f60bc0d174d092004ab6ce7e8ba0f6fd3eaf3332a9e334e6c36871

SHA512
66c9d72c326d53ad42e672911ccd112d5da4d4b4584d8e3ce67a8f19a11471ffe88597f63edb226a7cf9b917ac0e7a188033d73fb587f264a2abb95c92361b8d

Download Submit
C:\Windows\SysWOW64\Maanne32.dll

Filesize
7KB

MD5
e2617ca14925f7cbcc40b0e25cf76508

SHA1
742ee3fc3db1d5f1b8f96fdacbd9db77e3e8e1aa

SHA256
650c7fb6520daafeaba631ed6dd28bdb00e55aadb2192039c0c92967a4c575be

SHA512
f893caa1fa6e1e39e48cfaca1649cf20313b0af42eabc6fb88d3fba59ade8dca172358eaabf85f1d5bd0b36f3923cdec795c02c6f0dbd1610a13fcd773c69def

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
320KB

MD5
690c6aaa3b37aee5f1d40253dc4983a4

SHA1
5d3f5d87f78410ee21d0826e408d12092ddc1dff

SHA256
6e73354bba36749ef8ca111f8400a16ef82ee09064a2dbb2452ff585f8d130fb

SHA512
f2059b818ac657a36a0d97128bf61fb73bcdcff083d4d69590ddfcdffb98712aab8edf0ab5531b9455cd287495c2a0dc038cf2d296fa98fce0b83d7bb7d779b7

Download Submit
\Windows\SysWOW64\Achjibcl.exe

Filesize
320KB

MD5
c9fc5070f3db8cca3b9d139509ad3439

SHA1
e70a738ae63ec7c7a903c79a505dd894f7ae6c2d

SHA256
90df80ef3088067302848c126d84914d11eb2a0846b497e36b58ed0f6e6a7311

SHA512
939e8d0cb07c001204a4d4630ca120f0619a23db73035f363999550b10a9905a6ec3ac7668c6c4e704eb9d84b97c1a3579794fd6a2102efedc0fd2076a329347

Download Submit
\Windows\SysWOW64\Aficjnpm.exe

Filesize
320KB

MD5
08329ccd710b0499aab0a59dff3979d8

SHA1
28d1eb469785e27b8b53a86d97bec769ef07fa68

SHA256
8d7cf9d53a4337686f42b28a7b6c13760d2b34a5f418fc1ca0348410e90089ac

SHA512
3fcf7060fa02de75ff4a67db06157d6bc9e78a8bfbdde4d106b2f114895f3eedd685826071077834989847c6c2f8f7f8e09b9eb8a6dea5779e43c7897d5b5955

Download Submit
\Windows\SysWOW64\Ahbekjcf.exe

Filesize
320KB

MD5
d5beb4687d4e2da673a374546fc2023c

SHA1
bb495227ea78e6e59b74d1971ab0f837176b0d37

SHA256
c3a7c363576b5043a8b26ef955b81731c629c680ca3236633954989f16bf0f22

SHA512
be31bf10e03353d7f9c491f4ab67bc6b7ffe42375a517a8bf23311064d9ad8c1afbba4d4a17ba55efa4fe3b4bb56ab28782260c8254c9513a7010ae1db13645c

Download Submit
\Windows\SysWOW64\Akfkbd32.exe

Filesize
320KB

MD5
5155c7066845cb53552c98108d4acad2

SHA1
dda9cef7894066883f3439fac95cb9f2d34c7089

SHA256
ef80a3678d67138bd6812c5b95320ad4a391cf9c4ce7b82f5a1e9919b19462a4

SHA512
6143ee7670670907bb937f38313f9de09038fb940eb79d030a56255b8d60cb788322e956ff1d8a6c2a2ef0e9013bfce0aaaa4192b7abefee0b4e8702e7c5d33a

Download Submit
\Windows\SysWOW64\Bccmmf32.exe

Filesize
320KB

MD5
84ab5f833490f49293d7173945a16d40

SHA1
025386a6b10758fcd3d3b27546ac52b0764a3c03

SHA256
ee40dc8387345af2cd8a696ed6301533a7045de35359c4bf8e1de9844441b961

SHA512
5de20a2c0dd072bfa54968b35fb09da6ffd984bfbc823d3e89d7b57f7176c46ded054347ea1a7bd5efe99f558dc6198a5896c3a5fb47c060287b5039b3b108ab

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
320KB

MD5
44cd794acbd88d15a6ff05369e943a11

SHA1
b4088f98efccc5624603a987fcd24323eef887ea

SHA256
094a3039e18fea04368c59494dcb7bcaf295fa8294da5c373a43eaea5bbe0d2c

SHA512
c4b098c0681ea2c2c69718728da72c3410a8d9a1ba766d2702f5b987cafaad65533a2ad85b4ae084273371e99962de3a2ba92c5cc2a983d806acd51a986fc31a

Download Submit
\Windows\SysWOW64\Bgaebe32.exe

Filesize
320KB

MD5
79072ac03ab7ac47f778713120502fd1

SHA1
dd31791a78a9b5ebc24e2ee962b48d82b563dfa2

SHA256
4f3a727fd65b04dd2dacb1f87a032e506624781952be9090c3b361b50ada22f9

SHA512
9d97c572622690d649edd6a2271815110bd3d2f83efb11bf9b3cd2cc7c78e570561a02b9f22923fd40115c72e702cfb4dda7afcec68f3900ea0e57551342441f

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
320KB

MD5
d4f65d0a952f8341770617255c952f96

SHA1
383f7df39248618b081649dd73f25b1a7fdfd52e

SHA256
f62b6932bb27f22a18888383123c97d8d7166fa5922c11425cc773a539fec505

SHA512
efbdc4d876e74deb4a0e8903354bd89dc2fbafd1270cc4f428dd66ad9d3736d9eef3eed4700ffcc9bde4b8820c6a46fa2b9db4f70104041192b585a6a8bab711

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
320KB

MD5
0da36120887243a0d3bcb1ded4cd4dde

SHA1
b2b381209dcda702d1fd7f29502cf4a31e7ea6d7

SHA256
213a18861e789244f947d9a8d869acfbdc862d7e16b368da10725953e8710149

SHA512
e44be2fc6c9514c965463546bbc17ebf4c4384a2349ad3de11bba024db807f6e646ca63e170ccfc6f83f0e973cb761e4640fa882d59193bd3d8b019dbce72f7c

Download Submit
\Windows\SysWOW64\Bmlael32.exe

Filesize
320KB

MD5
f93fb761d42017e20cd30b6424b37fe5

SHA1
37cadd1fecb2336e9c0e2891cf7598aa6194c3cd

SHA256
8a4340106a73b6afe734affb9cbbef1de7a9b02d04b235bf1cad372454a1f3e3

SHA512
141fa82d7748e245014e326fd59f16b7a4149b817967a1ed7292fadae1177cebe8bf071b9951e4da4ff051d9cce0fdd404255912ee575c8e285163715fb3a8ff

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
320KB

MD5
4941b1ce8b0a61f4211a56169ca55e0f

SHA1
9c1e3fd98c247c4fc9350f207f3e3874d312d7e2

SHA256
cb5635c314fe8490445be50a7bcd17eadda3acb41ea9e74856013f4495f5437b

SHA512
79e17770e0780dd0b9b2aed5d540dfa053b5ea9fc71d1e51bb3864e1587f350a388ddc64e021245b80b730577466a517414377755e2ed159f4f4bdff66f8bfe3

Download Submit
\Windows\SysWOW64\Qgmpibam.exe

Filesize
320KB

MD5
4553109e1a64a8007b59625413d38532

SHA1
735f5f107a1fc441f6f59cecd97e4a7b3badadf6

SHA256
ab193b3d2d049ea0b0f0787d1349d67b9de5e89230d57786c11c6bbde9981c23

SHA512
1c57260b85cd89d82b9c46ba44f589b8593be1412676e27df412ded1a561e1c23d355f1bcea0a860dc17be4294dd9ebfc27cf284026db9dcd8c19cb98544f578

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
320KB

MD5
4be977f9150ca21d40d2f6cb4069e86d

SHA1
9464a5c17b7cd01491b264015a057cc5384e9dda

SHA256
af78ed1ab4c982be591b14501e7649b7fba53d775111876db2c32705026e5aaa

SHA512
aa0c08361907c77f54bc8385225fd59d6951be30341d5980f32c8039a164dc20536d67c23abbca0cdd522b5f25c553fcae91479533a94045bd35942683d51178

Download Submit
memory/276-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/276-293-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/276-292-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/840-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-164-0x0000000000360000-0x0000000000395000-memory.dmp

Filesize
212KB

Download
memory/916-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-34-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1060-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1060-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1060-325-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1060-326-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1300-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1300-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1300-177-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1536-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-243-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1536-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-311-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1584-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-315-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1596-25-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1596-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1676-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1676-283-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1676-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1676-278-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1704-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-145-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1712-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-261-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1752-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-303-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1972-304-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1972-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2072-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2072-11-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2072-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2072-13-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2072-336-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2096-136-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2096-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-118-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2296-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-199-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2380-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-90-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2672-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-62-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2692-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-337-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2704-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-53-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2712-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-77-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2872-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2988-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2988-225-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2988-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-108-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads