8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 00:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
Size

224KB
MD5

c1c71d7a3da5c45bd40e8bcf00bd772d
SHA1

0560557e5ab01fcd32be6ca01d38f7ab81328da9
SHA256

8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f
SHA512

be012d152ad8c62d021a8bd4e80f09e24d9062b036206f461bd95807254b22f82c249958d35a085afbd21301a324b47f8a8817dc3b98ec3e1a05e530392c5508
SSDEEP

3072:H6DYIStrfGh0HUlIuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOgt:aFSt80HUD4s5tTDUZNSN58VU5tTtf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe

Executes dropped EXE 13 IoCs

pid	Process
1540	Pkdgpo32.exe
2628	Qflhbhgg.exe
2504	Qkhpkoen.exe
2436	Aecaidjl.exe
2572	Afgkfl32.exe
2464	Agfgqo32.exe
2892	Acmhepko.exe
1632	Bilmcf32.exe
2752	Becnhgmg.exe
924	Bbikgk32.exe
1100	Bmeimhdj.exe
1844	Cfnmfn32.exe
1720	Cacacg32.exe

Loads dropped DLL 30 IoCs

pid	Process
1784	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
1784	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
1540	Pkdgpo32.exe
1540	Pkdgpo32.exe
2628	Qflhbhgg.exe
2628	Qflhbhgg.exe
2504	Qkhpkoen.exe
2504	Qkhpkoen.exe
2436	Aecaidjl.exe
2436	Aecaidjl.exe
2572	Afgkfl32.exe
2572	Afgkfl32.exe
2464	Agfgqo32.exe
2464	Agfgqo32.exe
2892	Acmhepko.exe
2892	Acmhepko.exe
1632	Bilmcf32.exe
1632	Bilmcf32.exe
2752	Becnhgmg.exe
2752	Becnhgmg.exe
924	Bbikgk32.exe
924	Bbikgk32.exe
1100	Bmeimhdj.exe
1100	Bmeimhdj.exe
1844	Cfnmfn32.exe
1844	Cfnmfn32.exe
1664	WerFault.exe
1664	WerFault.exe
1664	WerFault.exe
1664	WerFault.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qflhbhgg.exe	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Pkdgpo32.exe	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
File created	C:\Windows\SysWOW64\Ldeamlkj.dll	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Aecaidjl.exe	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Qkhpkoen.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Becnhgmg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1664	1720	WerFault.exe	40

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll"	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1540	1784	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe	28
PID 1784 wrote to memory of 1540	1784	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe	28
PID 1784 wrote to memory of 1540	1784	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe	28
PID 1784 wrote to memory of 1540	1784	8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe	28
PID 1540 wrote to memory of 2628	1540	Pkdgpo32.exe	29
PID 1540 wrote to memory of 2628	1540	Pkdgpo32.exe	29
PID 1540 wrote to memory of 2628	1540	Pkdgpo32.exe	29
PID 1540 wrote to memory of 2628	1540	Pkdgpo32.exe	29
PID 2628 wrote to memory of 2504	2628	Qflhbhgg.exe	30
PID 2628 wrote to memory of 2504	2628	Qflhbhgg.exe	30
PID 2628 wrote to memory of 2504	2628	Qflhbhgg.exe	30
PID 2628 wrote to memory of 2504	2628	Qflhbhgg.exe	30
PID 2504 wrote to memory of 2436	2504	Qkhpkoen.exe	31
PID 2504 wrote to memory of 2436	2504	Qkhpkoen.exe	31
PID 2504 wrote to memory of 2436	2504	Qkhpkoen.exe	31
PID 2504 wrote to memory of 2436	2504	Qkhpkoen.exe	31
PID 2436 wrote to memory of 2572	2436	Aecaidjl.exe	32
PID 2436 wrote to memory of 2572	2436	Aecaidjl.exe	32
PID 2436 wrote to memory of 2572	2436	Aecaidjl.exe	32
PID 2436 wrote to memory of 2572	2436	Aecaidjl.exe	32
PID 2572 wrote to memory of 2464	2572	Afgkfl32.exe	33
PID 2572 wrote to memory of 2464	2572	Afgkfl32.exe	33
PID 2572 wrote to memory of 2464	2572	Afgkfl32.exe	33
PID 2572 wrote to memory of 2464	2572	Afgkfl32.exe	33
PID 2464 wrote to memory of 2892	2464	Agfgqo32.exe	34
PID 2464 wrote to memory of 2892	2464	Agfgqo32.exe	34
PID 2464 wrote to memory of 2892	2464	Agfgqo32.exe	34
PID 2464 wrote to memory of 2892	2464	Agfgqo32.exe	34
PID 2892 wrote to memory of 1632	2892	Acmhepko.exe	35
PID 2892 wrote to memory of 1632	2892	Acmhepko.exe	35
PID 2892 wrote to memory of 1632	2892	Acmhepko.exe	35
PID 2892 wrote to memory of 1632	2892	Acmhepko.exe	35
PID 1632 wrote to memory of 2752	1632	Bilmcf32.exe	36
PID 1632 wrote to memory of 2752	1632	Bilmcf32.exe	36
PID 1632 wrote to memory of 2752	1632	Bilmcf32.exe	36
PID 1632 wrote to memory of 2752	1632	Bilmcf32.exe	36
PID 2752 wrote to memory of 924	2752	Becnhgmg.exe	37
PID 2752 wrote to memory of 924	2752	Becnhgmg.exe	37
PID 2752 wrote to memory of 924	2752	Becnhgmg.exe	37
PID 2752 wrote to memory of 924	2752	Becnhgmg.exe	37
PID 924 wrote to memory of 1100	924	Bbikgk32.exe	38
PID 924 wrote to memory of 1100	924	Bbikgk32.exe	38
PID 924 wrote to memory of 1100	924	Bbikgk32.exe	38
PID 924 wrote to memory of 1100	924	Bbikgk32.exe	38
PID 1100 wrote to memory of 1844	1100	Bmeimhdj.exe	39
PID 1100 wrote to memory of 1844	1100	Bmeimhdj.exe	39
PID 1100 wrote to memory of 1844	1100	Bmeimhdj.exe	39
PID 1100 wrote to memory of 1844	1100	Bmeimhdj.exe	39
PID 1844 wrote to memory of 1720	1844	Cfnmfn32.exe	40
PID 1844 wrote to memory of 1720	1844	Cfnmfn32.exe	40
PID 1844 wrote to memory of 1720	1844	Cfnmfn32.exe	40
PID 1844 wrote to memory of 1720	1844	Cfnmfn32.exe	40
PID 1720 wrote to memory of 1664	1720	Cacacg32.exe	41
PID 1720 wrote to memory of 1664	1720	Cacacg32.exe	41
PID 1720 wrote to memory of 1664	1720	Cacacg32.exe	41
PID 1720 wrote to memory of 1664	1720	Cacacg32.exe	41

C:\Users\Admin\AppData\Local\Temp\8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe
"C:\Users\Admin\AppData\Local\Temp\8ab8f2aca65b4cf57d8d090917467db2969227a3503a1c5c0d5ce8676f31a46f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\Pkdgpo32.exe
  C:\Windows\system32\Pkdgpo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\Qflhbhgg.exe
    C:\Windows\system32\Qflhbhgg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Qkhpkoen.exe
      C:\Windows\system32\Qkhpkoen.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 140
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acmhepko.exe

Filesize
224KB

MD5
835707d743f1048f0eb7efc71dc22ca5

SHA1
923c039c380a53182f1f2e8f75997dfccd006248

SHA256
190bc7a1ce65c40a7847ee4c9455c4a22bbaaf5058d708ee1f3b25cb5473850d

SHA512
cc97f92a412552267737be6815dd3d646f8e8755e83587ee5e92df8c5f417959c5048127cf142be23ac5b30067ab6cc9882c92737fada7c4cc7f2b543096d207

Download Submit
\Windows\SysWOW64\Aecaidjl.exe

Filesize
224KB

MD5
0c0d053923cee4937308fdea23ed8adc

SHA1
86ea7f2625a1f400a32b484c64983399f0532b96

SHA256
a2bf9c0f5ae314a4f4a5196d53f6ac048c60dfe68f7dc7e9820d7390e72d5715

SHA512
e050bd093c74a05451ad1120bcd822d1d024e177820217297de146ecba1aa112f77d0ed153dcd3227997ff3da2da02460f7ff2e92829c61d4d6d5f6870ab4032

Download Submit
\Windows\SysWOW64\Afgkfl32.exe

Filesize
224KB

MD5
3f941ca6caaeeb4134f3505ac14f501a

SHA1
ea4115c2a91a9eb36d313cd8131de4b48711b1ba

SHA256
3ab959c527d5319a754b1a7fd6a6baa16a62dae65a917cc23ad512627e0ba029

SHA512
a6653b0fec643391c23e124d58e2436a70e5706ce6e2d44efe7867ff5021beba9d45a60b81f227adc0ab7f62aa5e218ee37d874256a8fc2ef9180e26bae9753d

Download Submit
\Windows\SysWOW64\Agfgqo32.exe

Filesize
224KB

MD5
75790e2f8a49e8b4bfeaa4cae6dec842

SHA1
73fe1a6a367a6e87eea512e8eae677539363c13a

SHA256
26e1e5d79df5a9cba227f866e66f441964c65583d98e18a950aca000faf42e2a

SHA512
733415013801a77778a37122d7a2ba1c2090b7e643326a0d6f25e1d15d33f8885627098fd19822e419e4e581514c4e1924b2423a732ddcd5689bd762d1cead14

Download Submit
\Windows\SysWOW64\Bbikgk32.exe

Filesize
224KB

MD5
8c8ccfb28995322bd722de33956f6858

SHA1
e6cf17a07a4cba6ff6c10dd585376c91f56402ff

SHA256
0b591c05b2a31c645cac096280beb895152198d177a7dc5a3a2a279234cfb193

SHA512
87f7c1626280f85d87515eb423723d6eb2b9dcb03333678f78f05fca948198924f5f97bf13ad1398864fef57a77db0e189176f985ea71364255e2cf5a250eca6

Download Submit
\Windows\SysWOW64\Becnhgmg.exe

Filesize
224KB

MD5
c1f1cc67b840753fac5505105bf1b89f

SHA1
625e656170a3918c1efeee266f411a8986845d10

SHA256
1e5381424500cb5ce1cd9c40ad05868ee4207fb9a382bdb09415a44d498b3340

SHA512
c04992bd1b31048a15508d7b53fa0003e047c9e692644ddd05b148c1d02d29c66552f5b773279e01dc929dfca974f36cca75130d3430d907cd8616238e47125f

Download Submit
\Windows\SysWOW64\Bilmcf32.exe

Filesize
224KB

MD5
1e251af4b200296dbc1227ba64320ee1

SHA1
2e1fd3a828d265745753377789b3300bf4b16c33

SHA256
a136e2156f10d5ada2ad9525eb46ba2dfc48c369fe3becf74271b32cf767d90e

SHA512
af3bebd2343b90794b211174f8bb623e7d91a3602935028adfcc011fa957b2994334ac186bc93ad0e6158ae5915c68642fa2fc808acc22e16b82b5c734c8e1c2

Download Submit
\Windows\SysWOW64\Bmeimhdj.exe

Filesize
224KB

MD5
672a7b96a2359cbc8119f372eb859fd2

SHA1
377c6fa717d7020ceff57b774841be90ffe2774d

SHA256
1228bc61df063ccdd22d803b0f65de8b8022215deebc070eab6a573f9845d6f2

SHA512
b67eeac1c5da72eec861f483ba474f9ebc88b48df77023e81b89bb9a8a7d1a5c051d6f1bc6d0bfafd79e2eaf2990cb4cf9a41bf019ff979b9818c681fac02ba7

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
224KB

MD5
930bc668118791d2e9d980209860ac0f

SHA1
6f64f895e188e3763109b67f92f6a3309db41063

SHA256
1e8e74e3f787e80bd12965bef9e3982c90cc165ce360c093281f0c21ffe0add5

SHA512
68ca0bc498f915de652994456fa1fc25adb87b33caf12290ada74a1428b27bd375665e6c2805f451652facf2207e4a8e0aabbe0e91af90f4a02f2e6943829f86

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
224KB

MD5
31eb5dc56db6566537ee9e5fae75964d

SHA1
0f980586ea9e8f4599294cb943c85dd42d13b189

SHA256
680023c1f85e85ef6ce1862e84ad1ada91f14df10fc118d3c55c81d26b86c16d

SHA512
60875b51ba2ac05288b6834ca9e5bee74b80664406b8548cf5aaa65b0da236fac8ec329091b33ec53a77e6c83c8ad3e43168a42d8ed0d6b3f3a13f871d687639

Download Submit
\Windows\SysWOW64\Pkdgpo32.exe

Filesize
224KB

MD5
44d311684db576b07d9e072bf6055238

SHA1
6de7b64c4ac3e64ec4018a975278397a5ed72c1d

SHA256
10ee0765cd888e11e32e587e6584b49a625f857aa2056c5a57a089e11b68b215

SHA512
460e83b65c56d0b35989a309c8edf74f3609234a33cff58d48a970d1b3bb09b085e9dfd592aec255b64977cbe899819c8f02666885b8ed2fce63ebfc0149c3b1

Download Submit
\Windows\SysWOW64\Qflhbhgg.exe

Filesize
224KB

MD5
6fffccb0a000feeece9f5bd2a2b4af28

SHA1
320bdb80935141a2b39e0e152069254f67b6048e

SHA256
822c70e890eba005c77fa5125795d2711b75fd80f7075c292d1ad5d67055bb6e

SHA512
db31fececefc403c00da60920e29e72627ed02084a49d64341d200e65ecf87a68d81e5993dede659a7fe1226cd43cf7a4ec6b4d7e707a0ce4d02fabfd4f12100

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
224KB

MD5
773b13c57fbcc24f975319d6d0ffafa2

SHA1
3474c87ccb96bed3dc1ceb1fb42020d4258ba213

SHA256
de76c0cd35a3104bc0601ffc51cce81defa97e591e58f0cb2664007dd6bf6f7c

SHA512
aee4a043e0a2004979f7a6b5010206cb61aaae3188b26797ab6bdd34cf779963233127facb99cdcf7b766a7db0ba23bd6fd307603e66afb85d72cf3fea9b509b

Download Submit
memory/924-149-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/924-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/924-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1100-159-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1100-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1100-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-25-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1540-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-120-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1632-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-12-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1784-11-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1784-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-65-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2464-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2464-88-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2504-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-48-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2572-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-75-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2572-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-40-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2752-134-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2752-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-135-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2752-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-107-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/2892-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads