646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
Size

2.2MB
MD5

30f3d19e239f2b6ec4ea19f51804628f
SHA1

20fc6a5ebd778024a56553f52a8415557835f136
SHA256

646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986
SHA512

2f62bf3ef94196f3a6cd32386c7c2c9b41aeccef004d6c054bd79b19475d51a22fbc7d2fa33a61197aad3c2fb7aedf40dcffc2da2dcd043f2f3f85c3a86a1f50
SSDEEP

24576:Pf6X1q5h3q5hkntq5hU6X1q5h3q5h52q5h3q5hL6X1q5h3q5hM5Dg7:X6Gn9646KW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlhnbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbnbobin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clcflkic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dngoibmo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eloemi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhahlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlhnbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnilobkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beehencq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aplpai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfgaiaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clcflkic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dngoibmo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhahlj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfgaiaci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnigda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baqbenep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eloemi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adhlaggp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beehencq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnilobkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdmmgpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnigda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baqbenep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplpai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adhlaggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbnbobin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe

Executes dropped EXE 29 IoCs

pid	Process
2944	Qlhnbf32.exe
2484	Qnigda32.exe
2588	Aplpai32.exe
1988	Adhlaggp.exe
2544	Bhahlj32.exe
2104	Beehencq.exe
2696	Baqbenep.exe
1604	Cfgaiaci.exe
1644	Cbnbobin.exe
2076	Clcflkic.exe
2672	Cndbcc32.exe
1452	Dngoibmo.exe
3060	Dnilobkm.exe
2164	Dgdmmgpj.exe
268	Dqlafm32.exe
584	Dgfjbgmh.exe
1812	Eiaiqn32.exe
1436	Eloemi32.exe
448	Fnbkddem.exe
2800	Fbgmbg32.exe
1640	Fmlapp32.exe
3048	Gelppaof.exe
912	Gkihhhnm.exe
2968	Hgbebiao.exe
1940	Hiqbndpb.exe
880	Hcnpbi32.exe
2124	Hkkalk32.exe
2568	Iknnbklc.exe
2524	Iagfoe32.exe

Loads dropped DLL 62 IoCs

pid	Process
2904	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
2904	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
2944	Qlhnbf32.exe
2944	Qlhnbf32.exe
2484	Qnigda32.exe
2484	Qnigda32.exe
2588	Aplpai32.exe
2588	Aplpai32.exe
1988	Adhlaggp.exe
1988	Adhlaggp.exe
2544	Bhahlj32.exe
2544	Bhahlj32.exe
2104	Beehencq.exe
2104	Beehencq.exe
2696	Baqbenep.exe
2696	Baqbenep.exe
1604	Cfgaiaci.exe
1604	Cfgaiaci.exe
1644	Cbnbobin.exe
1644	Cbnbobin.exe
2076	Clcflkic.exe
2076	Clcflkic.exe
2672	Cndbcc32.exe
2672	Cndbcc32.exe
1452	Dngoibmo.exe
1452	Dngoibmo.exe
3060	Dnilobkm.exe
3060	Dnilobkm.exe
2164	Dgdmmgpj.exe
2164	Dgdmmgpj.exe
268	Dqlafm32.exe
268	Dqlafm32.exe
584	Dgfjbgmh.exe
584	Dgfjbgmh.exe
1812	Eiaiqn32.exe
1812	Eiaiqn32.exe
1436	Eloemi32.exe
1436	Eloemi32.exe
448	Fnbkddem.exe
448	Fnbkddem.exe
2800	Fbgmbg32.exe
2800	Fbgmbg32.exe
1640	Fmlapp32.exe
1640	Fmlapp32.exe
3048	Gelppaof.exe
3048	Gelppaof.exe
912	Gkihhhnm.exe
912	Gkihhhnm.exe
2968	Hgbebiao.exe
2968	Hgbebiao.exe
1940	Hiqbndpb.exe
1940	Hiqbndpb.exe
880	Hcnpbi32.exe
880	Hcnpbi32.exe
2124	Hkkalk32.exe
2124	Hkkalk32.exe
2568	Iknnbklc.exe
2568	Iknnbklc.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qlhnbf32.exe	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
File created	C:\Windows\SysWOW64\Qnigda32.exe	Qlhnbf32.exe
File opened for modification	C:\Windows\SysWOW64\Qnigda32.exe	Qlhnbf32.exe
File created	C:\Windows\SysWOW64\Moealbej.dll	Qlhnbf32.exe
File opened for modification	C:\Windows\SysWOW64\Bhahlj32.exe	Adhlaggp.exe
File created	C:\Windows\SysWOW64\Cndbcc32.exe	Clcflkic.exe
File created	C:\Windows\SysWOW64\Bibckiab.dll	Dgfjbgmh.exe
File opened for modification	C:\Windows\SysWOW64\Eloemi32.exe	Eiaiqn32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Adhlaggp.exe	Aplpai32.exe
File opened for modification	C:\Windows\SysWOW64\Cfgaiaci.exe	Baqbenep.exe
File opened for modification	C:\Windows\SysWOW64\Eiaiqn32.exe	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Fnbkddem.exe	Eloemi32.exe
File created	C:\Windows\SysWOW64\Bcqgok32.dll	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Eiaiqn32.exe	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Mbiiek32.dll	Cbnbobin.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Adhlaggp.exe	Aplpai32.exe
File created	C:\Windows\SysWOW64\Ooahdmkl.dll	Beehencq.exe
File created	C:\Windows\SysWOW64\Cbnbobin.exe	Cfgaiaci.exe
File opened for modification	C:\Windows\SysWOW64\Cbnbobin.exe	Cfgaiaci.exe
File created	C:\Windows\SysWOW64\Jfpjfeia.dll	Dgdmmgpj.exe
File opened for modification	C:\Windows\SysWOW64\Fnbkddem.exe	Eloemi32.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Hpenlb32.dll	Clcflkic.exe
File created	C:\Windows\SysWOW64\Lpbjlbfp.dll	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Clcflkic.exe	Cbnbobin.exe
File opened for modification	C:\Windows\SysWOW64\Dnilobkm.exe	Dngoibmo.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Bhahlj32.exe	Adhlaggp.exe
File created	C:\Windows\SysWOW64\Cnbpqb32.dll	Bhahlj32.exe
File created	C:\Windows\SysWOW64\Dgdmmgpj.exe	Dnilobkm.exe
File created	C:\Windows\SysWOW64\Dqlafm32.exe	Dgdmmgpj.exe
File created	C:\Windows\SysWOW64\Kkjjld32.dll	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
File created	C:\Windows\SysWOW64\Bgpkceld.dll	Adhlaggp.exe
File opened for modification	C:\Windows\SysWOW64\Baqbenep.exe	Beehencq.exe
File created	C:\Windows\SysWOW64\Dngoibmo.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Dnilobkm.exe	Dngoibmo.exe
File created	C:\Windows\SysWOW64\Dgfjbgmh.exe	Dqlafm32.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Beehencq.exe	Bhahlj32.exe
File opened for modification	C:\Windows\SysWOW64\Cndbcc32.exe	Clcflkic.exe
File created	C:\Windows\SysWOW64\Iaeldika.dll	Eloemi32.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Mjccnjpk.dll	Aplpai32.exe
File opened for modification	C:\Windows\SysWOW64\Dngoibmo.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Mkaggelk.dll	Dqlafm32.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gkihhhnm.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Baqbenep.exe	Beehencq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	2524	WerFault.exe	56

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beehencq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beehencq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll"	Cbnbobin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll"	Dnilobkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhahlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll"	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfgaiaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgeceh32.dll"	Cfgaiaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnilobkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moealbej.dll"	Qlhnbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnigda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjccnjpk.dll"	Aplpai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aplpai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adhlaggp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll"	Qnigda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbnbobin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll"	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkdol32.dll"	Baqbenep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhahlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbpqb32.dll"	Bhahlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahdmkl.dll"	Beehencq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnilobkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll"	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qlhnbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdmmgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll"	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2944	2904	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe	28
PID 2904 wrote to memory of 2944	2904	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe	28
PID 2904 wrote to memory of 2944	2904	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe	28
PID 2904 wrote to memory of 2944	2904	646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe	28
PID 2944 wrote to memory of 2484	2944	Qlhnbf32.exe	29
PID 2944 wrote to memory of 2484	2944	Qlhnbf32.exe	29
PID 2944 wrote to memory of 2484	2944	Qlhnbf32.exe	29
PID 2944 wrote to memory of 2484	2944	Qlhnbf32.exe	29
PID 2484 wrote to memory of 2588	2484	Qnigda32.exe	30
PID 2484 wrote to memory of 2588	2484	Qnigda32.exe	30
PID 2484 wrote to memory of 2588	2484	Qnigda32.exe	30
PID 2484 wrote to memory of 2588	2484	Qnigda32.exe	30
PID 2588 wrote to memory of 1988	2588	Aplpai32.exe	31
PID 2588 wrote to memory of 1988	2588	Aplpai32.exe	31
PID 2588 wrote to memory of 1988	2588	Aplpai32.exe	31
PID 2588 wrote to memory of 1988	2588	Aplpai32.exe	31
PID 1988 wrote to memory of 2544	1988	Adhlaggp.exe	32
PID 1988 wrote to memory of 2544	1988	Adhlaggp.exe	32
PID 1988 wrote to memory of 2544	1988	Adhlaggp.exe	32
PID 1988 wrote to memory of 2544	1988	Adhlaggp.exe	32
PID 2544 wrote to memory of 2104	2544	Bhahlj32.exe	33
PID 2544 wrote to memory of 2104	2544	Bhahlj32.exe	33
PID 2544 wrote to memory of 2104	2544	Bhahlj32.exe	33
PID 2544 wrote to memory of 2104	2544	Bhahlj32.exe	33
PID 2104 wrote to memory of 2696	2104	Beehencq.exe	34
PID 2104 wrote to memory of 2696	2104	Beehencq.exe	34
PID 2104 wrote to memory of 2696	2104	Beehencq.exe	34
PID 2104 wrote to memory of 2696	2104	Beehencq.exe	34
PID 2696 wrote to memory of 1604	2696	Baqbenep.exe	35
PID 2696 wrote to memory of 1604	2696	Baqbenep.exe	35
PID 2696 wrote to memory of 1604	2696	Baqbenep.exe	35
PID 2696 wrote to memory of 1604	2696	Baqbenep.exe	35
PID 1604 wrote to memory of 1644	1604	Cfgaiaci.exe	36
PID 1604 wrote to memory of 1644	1604	Cfgaiaci.exe	36
PID 1604 wrote to memory of 1644	1604	Cfgaiaci.exe	36
PID 1604 wrote to memory of 1644	1604	Cfgaiaci.exe	36
PID 1644 wrote to memory of 2076	1644	Cbnbobin.exe	37
PID 1644 wrote to memory of 2076	1644	Cbnbobin.exe	37
PID 1644 wrote to memory of 2076	1644	Cbnbobin.exe	37
PID 1644 wrote to memory of 2076	1644	Cbnbobin.exe	37
PID 2076 wrote to memory of 2672	2076	Clcflkic.exe	38
PID 2076 wrote to memory of 2672	2076	Clcflkic.exe	38
PID 2076 wrote to memory of 2672	2076	Clcflkic.exe	38
PID 2076 wrote to memory of 2672	2076	Clcflkic.exe	38
PID 2672 wrote to memory of 1452	2672	Cndbcc32.exe	39
PID 2672 wrote to memory of 1452	2672	Cndbcc32.exe	39
PID 2672 wrote to memory of 1452	2672	Cndbcc32.exe	39
PID 2672 wrote to memory of 1452	2672	Cndbcc32.exe	39
PID 1452 wrote to memory of 3060	1452	Dngoibmo.exe	40
PID 1452 wrote to memory of 3060	1452	Dngoibmo.exe	40
PID 1452 wrote to memory of 3060	1452	Dngoibmo.exe	40
PID 1452 wrote to memory of 3060	1452	Dngoibmo.exe	40
PID 3060 wrote to memory of 2164	3060	Dnilobkm.exe	41
PID 3060 wrote to memory of 2164	3060	Dnilobkm.exe	41
PID 3060 wrote to memory of 2164	3060	Dnilobkm.exe	41
PID 3060 wrote to memory of 2164	3060	Dnilobkm.exe	41
PID 2164 wrote to memory of 268	2164	Dgdmmgpj.exe	42
PID 2164 wrote to memory of 268	2164	Dgdmmgpj.exe	42
PID 2164 wrote to memory of 268	2164	Dgdmmgpj.exe	42
PID 2164 wrote to memory of 268	2164	Dgdmmgpj.exe	42
PID 268 wrote to memory of 584	268	Dqlafm32.exe	43
PID 268 wrote to memory of 584	268	Dqlafm32.exe	43
PID 268 wrote to memory of 584	268	Dqlafm32.exe	43
PID 268 wrote to memory of 584	268	Dqlafm32.exe	43

C:\Users\Admin\AppData\Local\Temp\646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
"C:\Users\Admin\AppData\Local\Temp\646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\Qlhnbf32.exe
  C:\Windows\system32\Qlhnbf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\Qnigda32.exe
    C:\Windows\system32\Qnigda32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\Aplpai32.exe
      C:\Windows\system32\Aplpai32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Adhlaggp.exe
        
        C:\Windows\system32\Adhlaggp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\SysWOW64\Bhahlj32.exe
        
        C:\Windows\system32\Bhahlj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Beehencq.exe
        
        C:\Windows\system32\Beehencq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Baqbenep.exe
        
        C:\Windows\system32\Baqbenep.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Cfgaiaci.exe
        
        C:\Windows\system32\Cfgaiaci.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Cbnbobin.exe
        
        C:\Windows\system32\Cbnbobin.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Clcflkic.exe
        
        C:\Windows\system32\Clcflkic.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Cndbcc32.exe
        
        C:\Windows\system32\Cndbcc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Dngoibmo.exe
        
        C:\Windows\system32\Dngoibmo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Dnilobkm.exe
        
        C:\Windows\system32\Dnilobkm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Dgdmmgpj.exe
        
        C:\Windows\system32\Dgdmmgpj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Dqlafm32.exe
        
        C:\Windows\system32\Dqlafm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\Dgfjbgmh.exe
        
        C:\Windows\system32\Dgfjbgmh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Eiaiqn32.exe
        
        C:\Windows\system32\Eiaiqn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Eloemi32.exe
        
        C:\Windows\system32\Eloemi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Fnbkddem.exe
        
        C:\Windows\system32\Fnbkddem.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        30⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adhlaggp.exe

Filesize
2.2MB

MD5
c3dbae01fe54a7932dd6f3cff40fecc5

SHA1
0f12c2292bfa5d366da03c8b145153ba63da703f

SHA256
f002d587685ba28bec7ed1098535f717039e61121f09ee6a0fb150512a626723

SHA512
90b5b86c8613ad35b02888f7eef87b5841e412f1a2d7d02182a118b8659ca5fd58bec4d9e1ac7b3f4d2164156d8a722a874bf3f5bc8dd4de221a421dbde6dd6a

Download Submit
C:\Windows\SysWOW64\Aplpai32.exe

Filesize
2.2MB

MD5
12f23b522fafade12d83ffe5674403aa

SHA1
f786b949e968a8ac1adb22ac8041d3785b991161

SHA256
6b97ea940f932dafade86a04131ae47c4af1a4ac2c4a5ee0b076a39a1ee527d5

SHA512
e2d66465e8d6321c0d99de1a55954de86678bb6844a270a21536f3c677e3576b35f1e353910ec9f97046d3187c9bd5b3b84ffb3ed0c08960edc361493671fc75

Download Submit
C:\Windows\SysWOW64\Baqbenep.exe

Filesize
1.8MB

MD5
ed6d2d802a75e5d908bcec5477e73775

SHA1
5d73ed28e3669d6eb3a1c4718dc3f8106a655266

SHA256
7a354efbbf5e345778cb2fa33d9277303c567e2c0e7c7a5bf7b049df70be74c0

SHA512
304ed6fbb9043559ae1660aea7f5f44ac90b5f48e6c0be3d7d50fa38bc22cd359d28b2cb60831193614c5f9cc63661be3e066332a0f7c519d287bd7f6248dc6d

Download Submit
C:\Windows\SysWOW64\Baqbenep.exe

Filesize
2.0MB

MD5
19879313323f9fc6ffd497cf563e1bd2

SHA1
608cda738ace36387191258dc9282e058382fee8

SHA256
95656822454ebabe949bceeb881ab8e093f2c1fec13c517dfed3647b3a6097a0

SHA512
350e930035e9ede676a956a6efa80d4a9068927a341c6382d90ef743bc993ec40df38a58ba3cb8d59b1459c7d3af336adb50c98aa919cfc1e83513e8089ab170

Download Submit
C:\Windows\SysWOW64\Baqbenep.exe

Filesize
2.1MB

MD5
d0c359f8dfc838eaabe74e0202c9add2

SHA1
7122f90ff067c7e1262510f0fdc86ea61ea96f4b

SHA256
0c77d5e67d62f774b9f74a2c637cecedaae25c255fab0f9b06056492acff2b8c

SHA512
10cad3eb74445778e2db5270b053f9b1fec385e42d7a9ec6ca023957497074a82ec1e49d7d2866aff2c78013d5f3c3d5eb5bec6f199d1212dee72e39ccbaa304

Download Submit
C:\Windows\SysWOW64\Cbnbobin.exe

Filesize
2.1MB

MD5
1af92923319e388b1c37b4dd03dcb3dc

SHA1
58f9409b171b4d2b591bb9c27e087bf896acb8a8

SHA256
fbb4f059dc24694064efd299bd5ea6990115b1bbd7afe81894b3cf59ae955f1d

SHA512
310c71145b302ddbccb9d5f52d983b0641be60d2aa763ffc0ed5e70803c0fdcd625a173dac74dfea2329c3e8e95e1996234d088c9bad6f96596f7af10b1fde40

Download Submit
C:\Windows\SysWOW64\Clcflkic.exe

Filesize
512KB

MD5
62a2c95aa5751d7d3af913eaea3cc039

SHA1
8297a917a954d62435281faebf215939c3c7c7f1

SHA256
70b7ee3a77d4425cd6aacad6ac78b61f85bb3e9b890fba7749b035c36bdf74c0

SHA512
6277bf31f21dd72c63e2806b09d51a34ff80a68dbed356329c7d421a02be4e44fd3c53fba6f034b5daf57e6a4c1475416ac3323a77c3f0635c3abb45be738327

Download Submit
C:\Windows\SysWOW64\Clcflkic.exe

Filesize
2.2MB

MD5
ae984f4c6c286c98d5e65eadbca2e2ac

SHA1
15265457da23909836632fb758f69687a432dbac

SHA256
8738686520d8c903db08eb2c857cc82630047f42c46485f6030bbf3bd491c8d1

SHA512
f5ce6060f69637450a1d05a3e739d22c9f61eee866d7eb37e35ad9dea932d95fcbc5be88c86c1e8d61b6a2e18bbabfa6221dcf2dcf7b42f2edd1481734149cf4

Download Submit
C:\Windows\SysWOW64\Clcflkic.exe

Filesize
1.9MB

MD5
b9c2c7b819314b4b6b5a1073d86c2eb7

SHA1
593908725e59425db73e25ade478b26337cce585

SHA256
1baf01f44219affc4a75cd9536069fa26eb49d74c532a28625d82f96a2555712

SHA512
de041aab1699b56450e0f246df2e3dd339fd59f690f90ee6da667100cc653ea53f1e6e70b63d00e10a1dd22bef6b5d4aadf1a8d2b0213dace38af61d66e318c9

Download Submit
C:\Windows\SysWOW64\Cndbcc32.exe

Filesize
512KB

MD5
b453b4182192d49a6164090b47a91ceb

SHA1
de02863ede709befeb587e1005edb625bb063de1

SHA256
0f26afe19de572538acab186cee488e0303ab9994149a134e7f392526a345251

SHA512
6ce409319393db6705e73e521a689e9c9d1881a296c7fb3c0b62fcd8890628a1638c58f06cf02f1961d1393b38cd4138672455ffff8814e48bc58899b27f6309

Download Submit
C:\Windows\SysWOW64\Cndbcc32.exe

Filesize
2.2MB

MD5
15780cff6b75c9232582cbbb96a647d6

SHA1
40cb85f3b16797a594154a614baddda84a5b6c2d

SHA256
a32e6371e8564d30d09dbc73f113a78a2318bb64a0631686ebe250453b191c46

SHA512
8a2c84a739e836e2a57fca8efd61ad9cf1d08f9bb90fb002d31cce6ffce55feb87f9a514ef8a56e8d6347f4bfa5fba2dbfdefb8af895b6b57f61f764257f0c9b

Download Submit
C:\Windows\SysWOW64\Dgdmmgpj.exe

Filesize
2.2MB

MD5
6994a3c19464eccd48262334382586f4

SHA1
08dbab59af2d38fabb3256f54ff0a6f8359775ec

SHA256
f75c5d20fd32b0734728ea4ac7dba61185c0a6d589d55da8e98ebf132948765c

SHA512
ba0b23032298b96cd48a87d7cb4006dd37ac7ee3aa817cb5a2e015fad9197e7419ae8f12bace89acfde24f06a28dcf2216d4c8acac9d573d71b5336ff97b061b

Download Submit
C:\Windows\SysWOW64\Dgdmmgpj.exe

Filesize
1.1MB

MD5
bf723797b03ac50fcf03a1e7f825cfde

SHA1
4cb14774f0177ed5f9bc7d73fd3329a5a335a9e8

SHA256
9c88f5216d0634debc304de65aa4c4dfb4871d3af04a27948e14255675ffca0e

SHA512
4152e9624851c478dc0a0b4d539534dc4ccf0c0b0c1177fec9edcd2f0c2da29954d624055d33c3c5114459ad7ae06f650ab6ae11aa23163b1170ccf5b6a06342

Download Submit
C:\Windows\SysWOW64\Dgfjbgmh.exe

Filesize
512KB

MD5
4e395e62e4e63a2f764dce8c758f094e

SHA1
d8a6a3b92c9f2fe8267f65a6fe34113733c02fc0

SHA256
9d3a4a077df27fb80976277c4830999a1f6c10e0b987413adca280ca0939b957

SHA512
7e3771e8fd3329844def2b0076acf1ad5cb1ac22a30c8e07586bdd17c4aab2c0f302802edcd7b524a8ffa2325ea5f8077857a2a735efc320d80e0f373faa3932

Download Submit
C:\Windows\SysWOW64\Dgfjbgmh.exe

Filesize
2.2MB

MD5
ec7f4366e0172e0f521e5bcbc6a7a3cd

SHA1
16ff106513cf5c9ed72f476377ffce8738bb27b4

SHA256
0ff09967061bc1c3def38550e58affcf0ed44667f6ffa7b2b5a4d367c3ffd148

SHA512
650348596b12b43a6f39561ea033467da6d091468af69cba8134f9e98e686e78b0d842859e82b046c41b06b2b1d77688892dcf7088c8b75f85f4fdcbaa8147eb

Download Submit
C:\Windows\SysWOW64\Dngoibmo.exe

Filesize
2.2MB

MD5
7fd2a4949cff89def6f7edbb562c1099

SHA1
2511c13c8eff7e17efdc13b6de385e191479fb71

SHA256
25e164f03239b6868cbac441ccc23157a32efd60cbbe0d768f9d230cab7d9a2f

SHA512
427469aa07c598d146773601de0dbecd2cf2508443ea07452bd639c24450f79e42a8b25b17323c65a46ab52bcbd22c4725cc0f693e0023cd9087519d324feb11

Download Submit
C:\Windows\SysWOW64\Dnilobkm.exe

Filesize
2.2MB

MD5
7d51a6be9d7c3e8091e332f101cf1689

SHA1
9067f6a9b59e281165eb6c904dc0c6a80953a37a

SHA256
174f5000cf8040fdff0ae40e1cbc422c4523c8432d78f267d338dfeb19493982

SHA512
1913f5e54b4be71fb234c3cf13be826cac6b24a0e2ed8c4f7b04ba006ffe4a78e23c1f1bf709c9fd7bb3ca7c839a02d2e9101e4c2c06373a475f5fe99622ad80

Download Submit
C:\Windows\SysWOW64\Dqlafm32.exe

Filesize
2.2MB

MD5
04478d9a4433e1ac0d800806a09246d9

SHA1
255df7c845f21efede9f0ab705f41f232bbd17d8

SHA256
730d18fec543ec87fa390347d56e1956c111d4f268320a9390d2728a1a6ba980

SHA512
fac65fc13f19c9cca62d0460ca0a4a2bd7b9042d110cc97ed5cfba2e8b7524076259a0a7f5050899fdd91a557fa3ad649f402d4a1fdeb2a68458c4c3038d0bdb

Download Submit
C:\Windows\SysWOW64\Dqlafm32.exe

Filesize
128KB

MD5
20f0f972b8a369bd6e5bd0bea75758e0

SHA1
f0e1ad5722c5f8aab8c953074e19e9e797e129c2

SHA256
7af6283de2a849f1d3801355714d3487e0542f57696910eded898a1165cec80d

SHA512
9e10e04f01242e5d823a1cf2767d4e5cee0c1683d8b27957a20dbf3af7d8ac193c25e508b42c43279ce6bb5968ebdfe35c4d80828fb6266c6eadf282b07507fb

Download Submit
C:\Windows\SysWOW64\Eiaiqn32.exe

Filesize
2.2MB

MD5
51f402d054ab676c4d36d7f5e25ec2c6

SHA1
c9212cb767be664bc0587757a5cafa08e2ee9c27

SHA256
c7e4d212f82df81e617ae6640855d0e795400856ec57068a18a6773b2a794abc

SHA512
6a0e60cc76bc119cd74497d3d92d9933db99bdfce1ace77beff683c79933484ed16d806d3ade811580462735b810be65428b7f79dac423607f2ec3d0ca046ae6

Download Submit
C:\Windows\SysWOW64\Eloemi32.exe

Filesize
2.2MB

MD5
b178a121c5c3c6d89df57a156e5ba0f6

SHA1
550be7c2c382ee47913cede3551cb2471bc4bebc

SHA256
2f4d8a12d083c27ef342023eb9d64248df162c9d1af9cac5008f3094b6698e70

SHA512
fb9c3781a6bd79a1c7a36af5486cfc7e5d8780dc1f96cd3fd91c5722c6e11bdfb9b58ea74b39d8703519dd40f1937c1e43c6649e2284e5f42417714a196ab77d

Download Submit
C:\Windows\SysWOW64\Fbgmbg32.exe

Filesize
2.2MB

MD5
d68156d60f280f593179187ac526e44a

SHA1
79bee32f4cc60eebf3c34d236ac2c61b3aa789f7

SHA256
03ea853f5a3f50d8dde1f28cecedd63b004a7e134d782fc6601c8195def636a9

SHA512
1afa2131fc39038b33244464b54e0952cb706a99812cdaa4da7406121edfc67ace1161cb9cbdabd813a38a0ae74cd375b95a96bd57ea5d7f84e33b6e9fc62733

Download Submit
C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
2.2MB

MD5
7d4aff1821065a5f1fb62c4ce8b76e74

SHA1
641b92e82cfa7909649decf54e2415059c967793

SHA256
56e77dfc9fb4db354320f7f489c98673c3cca77385d0348de811d3748c9af60b

SHA512
5b664dab13dbba5252b9a508630fcdfb4ceeed5b558820236f4673eb4772ce7f9909eac78f844d16cc1f9dfb861652670e478672e707cf5d4180b7fc756acfe5

Download Submit
C:\Windows\SysWOW64\Fnbkddem.exe

Filesize
2.2MB

MD5
4a3f144e8c30ce0981a5ae0135b83cc1

SHA1
96e50735635d9de5c8977bfa20d6e7c6870d78d7

SHA256
6a814e2d396270ab629e17e884e6520e86b96dc755be98e58c208aa0a2e8500a

SHA512
e7c8769fcc3b03c48df99d3f47fe945a6380418477c11c302cd6331a523b26d8036778a265f2436f2b41105659a353fec7d26163fb1a9dac8a63ef683d99a701

Download Submit
C:\Windows\SysWOW64\Gelppaof.exe

Filesize
2.2MB

MD5
a3c263779bb5cda96a628b1e81b4ced7

SHA1
94bd5b7d50eb726e7e273a545af9268262e0d20a

SHA256
8b1cc75854438a7a1adcb44e5fae88fc600fb8e20c0e91411f59b80579b54434

SHA512
daec018fb6fb4d4bcc9b770f4b5d2df70cbabd5c5c6f4f29158eeb42ad7a8ab447d4ee5fb4b5abb6d5437fa6b4dd7a8b186d3764be0f4f38cabf6f4e4edfc0e4

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
2.2MB

MD5
85b75fa3300400c8361659aaf369ef53

SHA1
01530a536d9c4c71c62b5c62273c7faf50537bfd

SHA256
a646d3b05c795c2dbf40599d26a05060d5a10a5c7eb117d66197d776206fb050

SHA512
b1ce0415dd2cdaa0300e5f7e4188990147d916ecfa86cf4fadb0f31b26714697b50cd2d25ea3b0da3ad24e2dd630455f12b2073ebd0e5bab1c6e2709e39d46aa

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
2.2MB

MD5
7e3bab74b1a6b2acf9aa89a474763b75

SHA1
c1906b5d17ef5c01a5220b93c120d544b96cf3ad

SHA256
51da5c4a20e4ddd05817ed91332e99f26a91c2614a3dfd0908e5f4d482094cde

SHA512
b30c2f8350e8e37afa16f47fd2b2ff999b268396da98e2cda564a21851c65ab049e09024bb8c3064fc61b8bf5d62e0815ba4153f815d57f3f3ccb7d1d499ff7d

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
2.2MB

MD5
a251d4bea87c5413bcf90a831750dd34

SHA1
ebe9911ed24ddd10f1dbda93f2523b6bccec81c7

SHA256
b7fb7e7794f2dc16c1ef608a45391f276043d8a80f2d22ac9e8a787a14c5b39d

SHA512
99e75c36019240f06e5096e4a7eed4f7f4b042fe75361c89370b23989eef2312ce6f24164ba0acf43aaeedd18b93e42736009af753cc33dee0569a0bdd065da6

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
2.2MB

MD5
ad9873e1bd8bd02d5e59779b41dd1a3d

SHA1
6ce99ceee309e60095d2fb4084eb87737dde00e7

SHA256
05a89bf8592d322d32dfb1743c17758ebe6772d3ce545d553852f915638ef4b4

SHA512
083fed2c2f82d0bbace7363648e9b0b69844b1809750d61be00fb47f1b8dafe2fbe100dc01ce034a7958b2fc14604661405837ab4b976b55345d118a4b0363f9

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
2.2MB

MD5
30dea7809b1ef32316b5facfeff69020

SHA1
f697ba43037588b8c33ff4d9bdb2331860222427

SHA256
9ae2b76a03449cdbb58e97d3d5e8c23a91765e0e5124dc62207fa629791797fe

SHA512
8d065a06d09eb076a4c9763cc3414017a6077d3cc54abfb3861a0c4e3079072430f06ca5dfab6c61662fb057831fd8b09d8d9d8f90c8a2ad55fdec459679c46c

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
2.2MB

MD5
6a093dbf73b3aca3a36dd99e065c7edc

SHA1
db5571695d4fa6c9ee8072c8faafd348c159e5ac

SHA256
6c4dcdefd9cf38b48b5fa0c70ff8aa164316bda7f20bbd94f1ec4d3a160e7074

SHA512
ca7772cd7ebf38fb50f6d9c88ba2f7396811639c7ae2049aa9e5f955a55c512edb89701913082ecf04ce4fd7377ce5e333ea55de1ed6d5a4511103f6fb79625f

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
2.2MB

MD5
c8ed1714a3e6ffd44a5178a9f929a5b7

SHA1
67716904dee974a86649ab9631e4bc94c3e2c216

SHA256
1d11d2dcaddcdf36487ea57ce923021f0d9818186aad0322400de5ad984a4159

SHA512
384905077a3d58a77389213bfb0daa307fc3c9c52ccee13900d337243020dfd22f0a5f4b6c9f75df0d57f3376e9e291f5cd9a76db6beb933c3c0ee046b395221

Download Submit
\Windows\SysWOW64\Baqbenep.exe

Filesize
1.6MB

MD5
48b79a4c62570c3038260c7b56f02fce

SHA1
56ff8847f2cab2af13c485af74f174bf78e9e5ea

SHA256
854ef38a9517987db2f16faca5150c1c00518ab6bd6c6d111f1df179b7dc8ced

SHA512
0854d499832c944d0241b751328f580b8f581f229e09c809fc5bb19192af6764ae42e64a04115bbdd9d018a3f801d8d84dcb715f9d66e91bb9cd5446d0c59c71

Download Submit
\Windows\SysWOW64\Beehencq.exe

Filesize
2.2MB

MD5
5208b81f5901d96424f0db40c9424ea7

SHA1
7d55bb2728517761ac05fd0ec939ed19acc02027

SHA256
b1576491abc82f51d2bbed659a138e468026a795396e78479c07ce77b14a31c9

SHA512
02048fe579f7c625d07d91cd33835fb121c1c9b7f2388262df4b98373b83bc4ab26d03b1bf3e7f47aca33aac05e780f1bcfd87ce6dc813d34acdf876f1346445

Download Submit
\Windows\SysWOW64\Bhahlj32.exe

Filesize
2.2MB

MD5
1841aed52fc9a05a73310dbec29b92a8

SHA1
0d59c5aa51c6c872df3c83ede61e456e7d4e74eb

SHA256
46bfab7d4c586ce606281ac8ed1ac9035b44e3aea312f285ec8d0123c5e5ef94

SHA512
76c1fe078ac42769d6f6f9bc05c9eb31e672e2c9ab89bc22a72588d7fe73e1cb588092faaa72922074f0cd57c65de31d83353df9575679ccb55efcab03466af5

Download Submit
\Windows\SysWOW64\Cbnbobin.exe

Filesize
704KB

MD5
4000c005c327dcd1f096c9c8e29abf79

SHA1
321fe4178a26246dc8f3860ff5ee01a02c244f60

SHA256
db59462f34ce283a891d5be66f26ffc00941d894b674f4f90aa991a883aaeddc

SHA512
b7a4848306c648905572c534f8678f2dc7637db4011cbf37399c960591a7add9280eb03a90e82035808b919564250108347cd01d6bc811c11c7c7d4406b18938

Download Submit
\Windows\SysWOW64\Cbnbobin.exe

Filesize
2.2MB

MD5
143a7da7c2b4dee83df7d0fce2a8554f

SHA1
b0f0c2bab184210acf1b75ba72c4d7cd316ce4d2

SHA256
462cd6b33237dd0520b8facd4bb614486c15d2f574c155ee9dd6a8e58ccb0ca6

SHA512
ff569612ca9234f0f8fc39f744f0104bc9db173a32741bff449043c162a7d5df8ff3967159062cf2d4892bd4386e53dcccbf1bfb6f5eba275a97a1c7578b04d6

Download Submit
\Windows\SysWOW64\Cfgaiaci.exe

Filesize
2.2MB

MD5
81bd8ce4487f1c0525785a75ae675c65

SHA1
52be19c2c7a3f4d9e659e1c8a34f1d57d043ca9a

SHA256
d101f1801c1e8ec7377d3e8cf4ff5a80aa9935cb6cc02137b6c48c8b6f8461c0

SHA512
eac6ebcde38d4991ba73eadfef382553c2c0dc62aec9de45dfc7e737635b08b840e4c273984b20ad79834cdf18cfdafc895ee4716abc2439e2a9b00c4b283cb5

Download Submit
\Windows\SysWOW64\Dgfjbgmh.exe

Filesize
576KB

MD5
aea5a18069b1dfd08c25cf5fabc3ec13

SHA1
b5d2e8bd8ae05141dda58911aa503f1a1b3cc5aa

SHA256
8bbc47927d0fc08d927d6d526a3f209c2c5c1b4b4a0411bae59bb224e8dbff92

SHA512
a0bed00985907f6f8e3d329adec266c5f48220cf209a65eda77d5c049174bdf675141aeb99a733d4d0c17a6d511e1ba7cafa54ae6f71f1703e4a28e136c4e180

Download Submit
\Windows\SysWOW64\Qlhnbf32.exe

Filesize
2.2MB

MD5
4bf1acf0da691f651d6c0dc1fe77532b

SHA1
faf86e691a1148cd78b16ef38ba6d611b198d274

SHA256
dfe085c9f555532e82e127180e73a2454ae1be67aa17286188452b91d12ad0a2

SHA512
456c187a901140615938ef364b358b676c603eae17ed7bc70452f3663dba137eb2eb0a5070a505e962d1f4a4d62c88ea37dc5ee75a2180ab1b4faf90b759549c

Download Submit
\Windows\SysWOW64\Qnigda32.exe

Filesize
2.2MB

MD5
b218e193eb30b810d22cbf6bc73b13e8

SHA1
0891b084e96342e9669e5b2ece7ee317c3fadb14

SHA256
4ffa22a51140944bd41dac9e1cb51a184a7c4dd964a9d15f3e6b80a741b40cd7

SHA512
3cf9354bd7170283eaf2089172ececb2df3d5dfd993963f661a754cf23e825f4f0fe4db10ac5fe9df655f7265a5e78dfc7191feab64667ca457b3597bfa96414

Download Submit
memory/268-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-304-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/448-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-267-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/584-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/584-227-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/880-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/880-336-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/880-337-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/912-302-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/912-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/912-309-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1436-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-248-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1436-257-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1452-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1604-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-288-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1640-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-298-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1644-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-237-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1812-241-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1812-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-320-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-322-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1940-326-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1988-67-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1988-74-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2076-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-97-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2124-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2124-348-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2124-347-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2164-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-83-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2544-75-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-78-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2568-358-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2568-359-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2568-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-55-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2588-49-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2672-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-117-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2800-281-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2800-306-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2800-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-12-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2904-6-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2944-22-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/2944-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-314-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2968-319-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/3048-308-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/3048-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-300-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/3060-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads