berbew | 1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eacc

Analysis

max time kernel
73s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
Size

419KB
MD5

b0c55bec96d2818ca6205038abf8da80
SHA1

80c8717f439f827ad272ba4543ff1e993e00ac57
SHA256

1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eacc
SHA512

59e30f6b6ab740c7d6f738585cf6322359ee249b4a7264f6259f9cd79184f326890b8359f872ae652494f027bb4c8ef6739d802d20c9c80305eaf80e056bf449
SSDEEP

6144:lozaGl35IKof8ByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R1L/gBSfGmtE1se:mliK9ByvNv54B9f01ZmHByvNv5fJPGs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
2408	Qiioon32.exe
2784	Qjklenpa.exe
2940	Aohdmdoh.exe
2692	Acfmcc32.exe
2588	Akabgebj.exe
3036	Adifpk32.exe
2852	Alqnah32.exe
3056	Aoagccfn.exe
1956	Bhjlli32.exe
468	Bbbpenco.exe
1244	Bkjdndjo.exe
592	Bdcifi32.exe
2188	Bfdenafn.exe
2536	Bffbdadk.exe
1008	Boogmgkl.exe
1184	Bmbgfkje.exe
672	Ciihklpj.exe
1660	Cbblda32.exe
1880	Cileqlmg.exe
1476	Cnimiblo.exe
808	Cagienkb.exe
2992	Cgaaah32.exe
2440	Cbffoabe.exe
2772	Clojhf32.exe
2712	Cjakccop.exe
2856	Cnmfdb32.exe
2920	Cfhkhd32.exe
2668	Dmbcen32.exe
3032	Dpapaj32.exe

Loads dropped DLL 58 IoCs

pid	Process
628	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
628	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
2408	Qiioon32.exe
2408	Qiioon32.exe
2784	Qjklenpa.exe
2784	Qjklenpa.exe
2940	Aohdmdoh.exe
2940	Aohdmdoh.exe
2692	Acfmcc32.exe
2692	Acfmcc32.exe
2588	Akabgebj.exe
2588	Akabgebj.exe
3036	Adifpk32.exe
3036	Adifpk32.exe
2852	Alqnah32.exe
2852	Alqnah32.exe
3056	Aoagccfn.exe
3056	Aoagccfn.exe
1956	Bhjlli32.exe
1956	Bhjlli32.exe
468	Bbbpenco.exe
468	Bbbpenco.exe
1244	Bkjdndjo.exe
1244	Bkjdndjo.exe
592	Bdcifi32.exe
592	Bdcifi32.exe
2188	Bfdenafn.exe
2188	Bfdenafn.exe
2536	Bffbdadk.exe
2536	Bffbdadk.exe
1008	Boogmgkl.exe
1008	Boogmgkl.exe
1184	Bmbgfkje.exe
1184	Bmbgfkje.exe
672	Ciihklpj.exe
672	Ciihklpj.exe
1660	Cbblda32.exe
1660	Cbblda32.exe
1880	Cileqlmg.exe
1880	Cileqlmg.exe
1476	Cnimiblo.exe
1476	Cnimiblo.exe
808	Cagienkb.exe
808	Cagienkb.exe
2992	Cgaaah32.exe
2992	Cgaaah32.exe
2440	Cbffoabe.exe
2440	Cbffoabe.exe
2772	Clojhf32.exe
2772	Clojhf32.exe
2712	Cjakccop.exe
2712	Cjakccop.exe
2856	Cnmfdb32.exe
2856	Cnmfdb32.exe
2920	Cfhkhd32.exe
2920	Cfhkhd32.exe
2668	Dmbcen32.exe
2668	Dmbcen32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Acfmcc32.exe	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Qiioon32.exe	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Imafcg32.dll	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Aacinhhc.dll	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Qjklenpa.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qiioon32.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Qjklenpa.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Egfokakc.dll	Akabgebj.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Adifpk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Aohdmdoh.exe	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Adifpk32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Aoagccfn.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Fcagcm32.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qiioon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffbdadk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2408	628	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe	31
PID 628 wrote to memory of 2408	628	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe	31
PID 628 wrote to memory of 2408	628	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe	31
PID 628 wrote to memory of 2408	628	1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe	31
PID 2408 wrote to memory of 2784	2408	Qiioon32.exe	32
PID 2408 wrote to memory of 2784	2408	Qiioon32.exe	32
PID 2408 wrote to memory of 2784	2408	Qiioon32.exe	32
PID 2408 wrote to memory of 2784	2408	Qiioon32.exe	32
PID 2784 wrote to memory of 2940	2784	Qjklenpa.exe	33
PID 2784 wrote to memory of 2940	2784	Qjklenpa.exe	33
PID 2784 wrote to memory of 2940	2784	Qjklenpa.exe	33
PID 2784 wrote to memory of 2940	2784	Qjklenpa.exe	33
PID 2940 wrote to memory of 2692	2940	Aohdmdoh.exe	34
PID 2940 wrote to memory of 2692	2940	Aohdmdoh.exe	34
PID 2940 wrote to memory of 2692	2940	Aohdmdoh.exe	34
PID 2940 wrote to memory of 2692	2940	Aohdmdoh.exe	34
PID 2692 wrote to memory of 2588	2692	Acfmcc32.exe	35
PID 2692 wrote to memory of 2588	2692	Acfmcc32.exe	35
PID 2692 wrote to memory of 2588	2692	Acfmcc32.exe	35
PID 2692 wrote to memory of 2588	2692	Acfmcc32.exe	35
PID 2588 wrote to memory of 3036	2588	Akabgebj.exe	36
PID 2588 wrote to memory of 3036	2588	Akabgebj.exe	36
PID 2588 wrote to memory of 3036	2588	Akabgebj.exe	36
PID 2588 wrote to memory of 3036	2588	Akabgebj.exe	36
PID 3036 wrote to memory of 2852	3036	Adifpk32.exe	37
PID 3036 wrote to memory of 2852	3036	Adifpk32.exe	37
PID 3036 wrote to memory of 2852	3036	Adifpk32.exe	37
PID 3036 wrote to memory of 2852	3036	Adifpk32.exe	37
PID 2852 wrote to memory of 3056	2852	Alqnah32.exe	38
PID 2852 wrote to memory of 3056	2852	Alqnah32.exe	38
PID 2852 wrote to memory of 3056	2852	Alqnah32.exe	38
PID 2852 wrote to memory of 3056	2852	Alqnah32.exe	38
PID 3056 wrote to memory of 1956	3056	Aoagccfn.exe	39
PID 3056 wrote to memory of 1956	3056	Aoagccfn.exe	39
PID 3056 wrote to memory of 1956	3056	Aoagccfn.exe	39
PID 3056 wrote to memory of 1956	3056	Aoagccfn.exe	39
PID 1956 wrote to memory of 468	1956	Bhjlli32.exe	40
PID 1956 wrote to memory of 468	1956	Bhjlli32.exe	40
PID 1956 wrote to memory of 468	1956	Bhjlli32.exe	40
PID 1956 wrote to memory of 468	1956	Bhjlli32.exe	40
PID 468 wrote to memory of 1244	468	Bbbpenco.exe	41
PID 468 wrote to memory of 1244	468	Bbbpenco.exe	41
PID 468 wrote to memory of 1244	468	Bbbpenco.exe	41
PID 468 wrote to memory of 1244	468	Bbbpenco.exe	41
PID 1244 wrote to memory of 592	1244	Bkjdndjo.exe	42
PID 1244 wrote to memory of 592	1244	Bkjdndjo.exe	42
PID 1244 wrote to memory of 592	1244	Bkjdndjo.exe	42
PID 1244 wrote to memory of 592	1244	Bkjdndjo.exe	42
PID 592 wrote to memory of 2188	592	Bdcifi32.exe	43
PID 592 wrote to memory of 2188	592	Bdcifi32.exe	43
PID 592 wrote to memory of 2188	592	Bdcifi32.exe	43
PID 592 wrote to memory of 2188	592	Bdcifi32.exe	43
PID 2188 wrote to memory of 2536	2188	Bfdenafn.exe	44
PID 2188 wrote to memory of 2536	2188	Bfdenafn.exe	44
PID 2188 wrote to memory of 2536	2188	Bfdenafn.exe	44
PID 2188 wrote to memory of 2536	2188	Bfdenafn.exe	44
PID 2536 wrote to memory of 1008	2536	Bffbdadk.exe	45
PID 2536 wrote to memory of 1008	2536	Bffbdadk.exe	45
PID 2536 wrote to memory of 1008	2536	Bffbdadk.exe	45
PID 2536 wrote to memory of 1008	2536	Bffbdadk.exe	45
PID 1008 wrote to memory of 1184	1008	Boogmgkl.exe	46
PID 1008 wrote to memory of 1184	1008	Boogmgkl.exe	46
PID 1008 wrote to memory of 1184	1008	Boogmgkl.exe	46
PID 1008 wrote to memory of 1184	1008	Boogmgkl.exe	46

C:\Users\Admin\AppData\Local\Temp\1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe
"C:\Users\Admin\AppData\Local\Temp\1bc6bb52fbbba62e317e307d75258f7145fb2fe769eb79b08ddad4890034eaccN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\Qiioon32.exe
  C:\Windows\system32\Qiioon32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\Qjklenpa.exe
    C:\Windows\system32\Qjklenpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\Aohdmdoh.exe
      C:\Windows\system32\Aohdmdoh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adpqglen.dll

Filesize
7KB

MD5
3aaaa81a6e1d2f84f8f6f6445c48900b

SHA1
9060e563e5980500747c38601b852276ca3dfa42

SHA256
d53e7ccdd0edc78788002a8423a7a669277a1bf99d18c0b66173f1a47ecc7f46

SHA512
b1ab786a13cc166b4874412a15ac9977c26dc135d2ecc57ce2576d49c108192e5f270fc2d90fef6e9de0aea4a8a8c0a6a228b5760146aa7a03bdfafe77e8a18f

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
419KB

MD5
d25c89055abb1f14b015b166665ddbe3

SHA1
25501899f9c9faccfd9232b02a84aa42ff672c86

SHA256
93045a2a7d7cf18016ea17548e4d5e3bb3da160aa26520aad07c92c67a226ffc

SHA512
e9dedba04db5176980573583e7319adac11973d1a560f3a2e42773540d403adba8fa707c595b25468c8f617617410139451b6a357ef0ee3b552a458dd1897f51

Download Submit
C:\Windows\SysWOW64\Aohdmdoh.exe

Filesize
419KB

MD5
5d72f897ffeb9107d83bc6f3d216fc9e

SHA1
b46a970851c1802584e3efc9a3ac49d8220b04e4

SHA256
db721843ec2daf666934137a55e9acee24273143138edbaf7f8deff242958605

SHA512
37b96f501c9575f110487c448bd45eff597e28ed6934cc5dffa32e2c606a763a0e3612b3bf115ab56c077b09a87eb36df04ce4a7f30e6338ba186f5d9a6ea9d5

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
419KB

MD5
fedd2a451de0edf4446349b707bd8948

SHA1
090d3362e7121355ab876f2baba5b7f9d3ef058b

SHA256
66bccd3bd9740a2c294f6e5e1a3312dc8d6d60f4ca4d98547e50530ad03d773c

SHA512
7f722d229b5746b06a6ec1b0db807e9ae589b420f460198e211cfbe23d7a576a3f027815b6fd49a85ad0f22bf4152e6fe9c1ff453259673d18c7cec2395876f2

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
419KB

MD5
4493032d17e63588badc8476f1291658

SHA1
011ad3f1289ea158f4c35281b0648ac3148f78d3

SHA256
12467a821595ff0f2202ac89aff1e17769e707126b4003d117e4a836a78b6b8c

SHA512
de945a7fd359e02e9d369d21e8d76162bbb68162e4621bf0ca884835c8bd0387d00f2c1029283560db332b241678536e2205371416011be596aafb1c621e072c

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
419KB

MD5
aea6532a65ce91e5074dd7324a75bde2

SHA1
46f0e2b86fac06a303b21350d86903c3480a6ede

SHA256
88c0b97e7779ba88e2a8311817c9d8bb64d9510c1b2a16c1a45082f86e90b630

SHA512
25d17174876ecfe88f2029d11de6771d5423765e833fc13a59e70882c488388dfa617342f5763097147bd3277c94fc326abb89b0cb30d9aa83c103ef2e4241d4

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
419KB

MD5
249d507708b69da6f9758f57c895c79d

SHA1
57503fccc18891afef57d9a89d8749c832b0c7b8

SHA256
9478f88e796913a74f54c5304b03a45c828ff09fd6a88366583a85d7da24c41c

SHA512
5ab43ab079b71069b12b76f161f457d4874e339958b4113d04b30f042c108b70103196fc08a6a27ecac068344275d34354eea225c86b9b394ea0400698b12a8d

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
419KB

MD5
36fd63f6b15073e86a4011a10780157c

SHA1
3abf4b10625ebd3dd785b97e17b2b23e9ab66a2a

SHA256
a7e505e247b53e47ee839784e7bd5eafe56acee655436e9c1ff3ceb06f1d184f

SHA512
167179bcb8f3f3fe067e5fd6ce85d6df2c467dc64f311a14292871c03ae7f4660b80db4d880140c1b01ff4d58878b56ab696c690db997804c96caddff06cc334

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
419KB

MD5
7c9d2cab0c0643f33af412f2b90cfe35

SHA1
1d7877b37ee5e5cc3ec1e699b303f7e6a503475f

SHA256
b89ea176c30f4372746b81cc44a043cf06c352fe5b9c8c2497bee55277e0b9c1

SHA512
c3335a5ecf83ebe31f4dd3f3e54a853fdaea837f5e8c93f613bf20905804787ed28d1d1ed8e951420f4a5eee0840e220ffbdd8094e98b6fa6a4034ce1deef24a

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
419KB

MD5
bc48df6451aebf07ba6eabfc417ecc99

SHA1
a8c3af631618e785a6849ae59bd103a5107dcd25

SHA256
e9fdd958bf0378c25089b756c878ee42faba9ac13901e9cd993bfb2a3a19212a

SHA512
d9cf1c9b23e04141c20e09f97b113ad99292068eaf19c39ee87a61b63698dc351f930f5e34fdfde134383f8f452aea689bfa9fbbcc2a1cbd3f15bf1438150def

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
419KB

MD5
bd2ab49abb1028cdf1ae7816dc42834e

SHA1
46d9225a5599cbcd060563bc5e01cf618d5a91b9

SHA256
c27c88a188eea3141b21e541f226097d3455c95623a3eb3f21d203ad8422ed88

SHA512
b964c8b21b63c21bccc550327c7c5e0c807f4b018e1e10e9cdf7a0c8c8aa865e7caf6eb96073fb1394c2392b53aa763f440c1ac33e78edb653d91061ba81d981

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
419KB

MD5
6a7dc6f553d5506443797e6f244cce42

SHA1
88b4ca57c69612698be3a3ce63a9bc267d439e7d

SHA256
e04e7e7622df564749cd74a795adc78400a7f701edfb86ec9ee073bd231b7daf

SHA512
fa12de7d30239b6313db0209e5a67c0d62d6260f5bb5b87c4fb1bad3fd83be8d924163ea8b2be0cfdcc1da9780964d1d3441109bcef6ea9f6440ac636e7646c2

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
419KB

MD5
3b40a43907b262486ee027cb83966dd1

SHA1
026f53cd973ff04e7eebf40b867a98a6eb9497f7

SHA256
b30c1c5775745e395fd1a641a784be709176013406234715deb63e832a42ba7d

SHA512
26e0551af697d937033afbc915a3f7802c3b6319771ad484258ffa4bb6c7794e454a5ae7fb43e96b78f41728fb55f570a4bdffc3d3da53040b7882decab544dd

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
419KB

MD5
35c1c038660c187923b7d29831d8bf46

SHA1
873a6615b75e4d3130d9ee7262c4987c54a77567

SHA256
7b7202a816e8966aa4a2e52b6e0072f78ea6d67ff17b5e20b2501ab88dd0c7c8

SHA512
ee00aa439ebe58d456e754b6ebd4a995280e837815a7abfa5a47bcc1b66dfe2a17bd3a6be936005a70f4c5bdf22eb51fd35d8951177e1bb6c25870de49c1dfae

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
419KB

MD5
18adc272e73aee6842489eed90710e5c

SHA1
a566412e11f267b642b5f32b43183337799d920b

SHA256
d989cf0ab663b73327bb7f8a341541c622f5413f92f134df38680abd81007193

SHA512
2f91b54b828f417ea1301523507fb6754ceb9397cfc7fcf9656b625fd65d27c3c948f43aa9047d8535de08f5ce0ffa9c2dbf04405d829b8b066503782af80130

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
419KB

MD5
ac384ecd203803318f5391f7aa73dcaa

SHA1
e3b289fc04d7a714f0ba29f01e5d5d0f25229c8e

SHA256
d3548a3ef8ee26aae11cdf93b8d2b06179cf60e2e34d16ab0252b16a7bd0aaf4

SHA512
96f71d4c0a9c81b9abfe8cd5b87a07f709847f9aaba8464e7ec901c5c4b9d36d6b2ee3b7f706ee93e3bc3a0c1ac31f630339353846f3690f9401e5d2328a540f

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
419KB

MD5
64a0ff247729dd1464b238f324ff64ff

SHA1
9ecb6614e3522278b16efa015632c2e7afd88c94

SHA256
d1d71188e8a8a847d328f34219f3b991e2653194fa5bb64e0c020f88b61788de

SHA512
f5f499a0d323aac7b4b06201108e3c40804abc8d8da6a38cd29a30f5f986591df67ff67ff53e4e7510c2ea08cb434421121f91bf99bd402bc417531a290d5903

Download Submit
\Windows\SysWOW64\Acfmcc32.exe

Filesize
419KB

MD5
5a3de67b4c5def60242b897d6a987c08

SHA1
337d554402d6f71f543cd9bfdb9df4d82cda9ba9

SHA256
2b288ad277ee84def45c625f14d03ba55838a1b7e02f7d3404235de1dd97d24b

SHA512
b2dfa0238bdb7686a442fcda25a9710404035cec2790c82abec3fb57d8d3d64ad84f346d243dd1a8025466f87716a058f25d2c86ac8eb4f030ce719cc59c37af

Download Submit
\Windows\SysWOW64\Adifpk32.exe

Filesize
419KB

MD5
88e79c32229872a5bd5d72920ddd1bc8

SHA1
8a9fa90a9ed947e51810555629325e37fb13cd93

SHA256
fa9917e7c77d7ff095ab8229e4c2c1d922fd2d1210ad905b6b442bf84d55da48

SHA512
69e2a3ea3bc976fc4c6ac0271298c1c4cfb792a5e32a9bb18bb9c24cb792ec495a6c637ca8c52b0ba81d4dc132251c2d59afd1f56139fdb5ebb45dd4644be7c0

Download Submit
\Windows\SysWOW64\Akabgebj.exe

Filesize
419KB

MD5
f0b8648e4139f504fe973cc87e63fd1d

SHA1
7f72f33eeb10656df8dfb2681ad7ef99ad7dd3ec

SHA256
36ad1217324757a98b2e1097f01831a22f4680806057fc7db58d5777397cff18

SHA512
30da2b7a67399faf4bf80973baa1dc0467562fbb49ddcff500696d7e9ace50b5cea74021d82aa61e7b66f3e3b13adb7475df725cd7ac34c414de08764a2c2da7

Download Submit
\Windows\SysWOW64\Alqnah32.exe

Filesize
419KB

MD5
610b530cc539777af15cbaf3503f5779

SHA1
983869a32405e3adb836e810072cabae80d36b14

SHA256
43e67f3f46cf9c13489badca5e7637059fa456ae94d3d67ff8c9ed38286c5fa3

SHA512
61c49942a0ecf6441a50326abbcc8653ffbd7128b9bd218891876707213b45b8bcb422ac50d92242d123c130e3e64c16a962cea58e19b081d82c24cd55d7daa4

Download Submit
\Windows\SysWOW64\Bdcifi32.exe

Filesize
419KB

MD5
1691bcf73a8d9650ffe44cd8fc570e45

SHA1
15cb43aadaa13102f2baacbc9e37ac660f342d47

SHA256
74cc629a564a1315807112e7c44424573655b4d54d10225045b0147a4c815dbe

SHA512
80c6d70c274d233824e4576f5e84b028d51db6a32c8161dba44a21e74196a69a0bbcb0bd8f3d46cc9429b1e893663441b707a4c22e795efa2a63560e069f9de9

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
419KB

MD5
a285b8f5035f6295a870919e907bab49

SHA1
8987b01d42664781fde12862cdc07ce9b1e63a08

SHA256
4fb5516fc6511bce2c08c4146052a73d3759bd7da3afeae25723068abe4dbfdd

SHA512
6fe575907e793641e729dd03680c05a5b4c22bbf9d24a95631ba54a93052982d10e35d48948eb9ede911b0e10afb91b63234a6f3f16711f2ac655cbdc763f37f

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
419KB

MD5
8b13fca0c7201d7f8d75cf9b48e13c9f

SHA1
13822e26ac83ff0f973506202c1e6c5bd0960a65

SHA256
6b727fee1a90d9668e7c342592a463fad0ca933ed76bd19f3bd6b9dc80bba7f2

SHA512
b3c1a7e91aea09c461948fe2447659221997b4e557d643119cb80f8ea72e3da59388958f159f109e80e6f7b4ee35d878c586fe457e266a7fde34a4cf589c3bc0

Download Submit
\Windows\SysWOW64\Bhjlli32.exe

Filesize
419KB

MD5
aecffdabe75a4b396f60122d91beceec

SHA1
f6be7a750ffd8cd62f97e3f56b63410036c506d3

SHA256
6601d530d0dd72d733b5f3fb745d32d3d78c5821b973fbe2a3e580f4d4d22565

SHA512
2c826b29f8ccccc015ee0af25d8d412376b9ebd13c4472f656701b19734ab91a28062907b438072f42bbd56a17b7f62f56332f7d504c3a6225219db668e65013

Download Submit
\Windows\SysWOW64\Bkjdndjo.exe

Filesize
419KB

MD5
6f0e749e6a9d141c1126dcc90d866c6a

SHA1
0ed45017e2506686b87cabb76ac3ca30fa4b49d4

SHA256
0a299a51296249703dea34e04e26d31b7f5c834b147b0d2a9ddba44aecf863f8

SHA512
57a4800c192ddd839b823a420a687e4d7c8d31a02e3ceba6d5a5e0a9a8f6b9e5eeae483b258333b22f126e847bcd9a5ab80f4a4cdae5c230b9311de11a468fed

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
419KB

MD5
cfc28ffedbec296933d6b332b54e1f2f

SHA1
28544a455252e961d512178dcc2bac4040e1b3d3

SHA256
cb9ad59f50a91086fd38b64325508232b50df347d1b938c3242a45ae28503f77

SHA512
d9b87044ce3cd8f11bf6e92d03ca07b6b73e91f0d2714c3511063a60f293866accff5c9720c2e038a068fcdd4e4bc5cc1e68a925b8d7df1e8f622f02084ae1ea

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
419KB

MD5
de489234cb86d896b3550def66739422

SHA1
4fb4101d341ad09ec1ec612f2fd80ddc1923f85b

SHA256
28a670a272915d5dff9e88c7fadd3071d4506380974a8698b390a89dfe7252a4

SHA512
96ab95ec1505d3ae62ace421d3edc5260c351af779c9ecbd6601518984fc2e79b8261f23ba36979be17ff0615e0019fc29e59864f235c7d84d47ec95dddd920c

Download Submit
\Windows\SysWOW64\Qiioon32.exe

Filesize
419KB

MD5
f81903723a23a634dc3d03b963bca5e3

SHA1
4c559faa87bff3885f41c2ad60bed480a60cc897

SHA256
e3c9fa1a44278fd24bf9cb8bf5b4c864112e52c26d9219f9160b7b0aecb7e6a1

SHA512
1dd16d0ab484eea99251ecc1b60971b01bcf5ee0cf3ef0741adf29c9f4666a900e2ab654baa350d510aac84409823a3f4ea5bba7d962694bab4b00c05341f8b7

Download Submit
\Windows\SysWOW64\Qjklenpa.exe

Filesize
419KB

MD5
0bca4617343637861f615c260bac0d97

SHA1
d7f29c830eca28fe2b4111cf91bef7cc1ff86f88

SHA256
4a7d76da14903b1178e7dfcf0b5e19a76a2a8f0caadf8c967eb6e2b08df89d9c

SHA512
f135f782a3d5613b7852bb74ac040e06c2bd4b7b45f3cbb648c52cdb16d7c2184564784ace556fb34582d60065e4e65ae06d37d95a9a56161cd640a577318aa4

Download Submit
memory/468-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-149-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/592-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/628-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/672-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-244-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/808-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-290-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/808-281-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/808-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-222-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1008-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-221-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1184-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-235-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1184-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-231-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1244-164-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1244-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-162-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1476-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-274-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1476-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-275-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1660-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-254-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1660-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-261-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1956-141-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1956-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-135-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1956-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-190-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2188-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-22-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2408-28-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2408-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-304-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2440-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2536-208-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2536-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-83-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2588-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-361-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2668-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-360-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2692-70-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2692-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-329-0x0000000001F80000-0x0000000001FB3000-memory.dmp

Filesize
204KB

Download
memory/2712-325-0x0000000001F80000-0x0000000001FB3000-memory.dmp

Filesize
204KB

Download
memory/2712-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-318-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2772-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-317-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2784-41-0x0000000000480000-0x00000000004B3000-memory.dmp

Filesize
204KB

Download
memory/2784-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-108-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-339-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2856-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-340-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2920-350-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2920-349-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2920-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-50-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2940-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-297-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2992-296-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2992-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-98-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/3036-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-93-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/3056-126-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3056-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads