22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81

Analysis

max time kernel
140s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
Size

64KB
MD5

e4386bc6a6ad847b94d3e855e285a4f3
SHA1

14cd4f4c70aa6ebb5b7e3681077ba9801487556a
SHA256

22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81
SHA512

88176db7a90c7d1f33e2d2e1d8fdf789f8a14280ff98f856f187258d0b238147c0d6c76a872eababd7e1206f046f631abb89b185645aa3f0dfbecf87aeddbd11
SSDEEP

1536:/nPfngfCm0nFvBL+0Jr3fwPL7XUwXfzwv:fgU+MQDPzwv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe

Executes dropped EXE 13 IoCs

pid	Process
1824	Pfandnla.exe
3280	Qaqegecm.exe
1992	Qpeahb32.exe
628	Aoioli32.exe
1472	Ahdpjn32.exe
4912	Bgkiaj32.exe
2736	Bdojjo32.exe
2868	Bklomh32.exe
3800	Bdfpkm32.exe
1384	Cponen32.exe
1152	Cgnomg32.exe
3288	Cacckp32.exe
1468	Dkqaoe32.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Pfandnla.exe
File created	C:\Windows\SysWOW64\Bgkiaj32.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Mioaanec.dll	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Bdfpkm32.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Ahdpjn32.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Pnbddbhk.dll	Aoioli32.exe
File created	C:\Windows\SysWOW64\Bdojjo32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bdojjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Qpeahb32.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
File opened for modification	C:\Windows\SysWOW64\Bdojjo32.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Olaafabl.dll	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Cponen32.exe
File created	C:\Windows\SysWOW64\Mlcdqdie.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Aoioli32.exe	Qpeahb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Cacckp32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfandnla.exe	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Pfandnla.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Pfandnla.exe
File created	C:\Windows\SysWOW64\Qpeahb32.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Qpeahb32.exe
File opened for modification	C:\Windows\SysWOW64\Ahdpjn32.exe	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Pfandnla.exe	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
File opened for modification	C:\Windows\SysWOW64\Qpeahb32.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Plikcm32.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Bljlpjaf.dll	Bdojjo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4380	1468	WerFault.exe	102

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cponen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfandnla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhefcoo.dll"	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qaqegecm.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 1824	3328	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe	90
PID 3328 wrote to memory of 1824	3328	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe	90
PID 3328 wrote to memory of 1824	3328	22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe	90
PID 1824 wrote to memory of 3280	1824	Pfandnla.exe	91
PID 1824 wrote to memory of 3280	1824	Pfandnla.exe	91
PID 1824 wrote to memory of 3280	1824	Pfandnla.exe	91
PID 3280 wrote to memory of 1992	3280	Qaqegecm.exe	92
PID 3280 wrote to memory of 1992	3280	Qaqegecm.exe	92
PID 3280 wrote to memory of 1992	3280	Qaqegecm.exe	92
PID 1992 wrote to memory of 628	1992	Qpeahb32.exe	93
PID 1992 wrote to memory of 628	1992	Qpeahb32.exe	93
PID 1992 wrote to memory of 628	1992	Qpeahb32.exe	93
PID 628 wrote to memory of 1472	628	Aoioli32.exe	94
PID 628 wrote to memory of 1472	628	Aoioli32.exe	94
PID 628 wrote to memory of 1472	628	Aoioli32.exe	94
PID 1472 wrote to memory of 4912	1472	Ahdpjn32.exe	95
PID 1472 wrote to memory of 4912	1472	Ahdpjn32.exe	95
PID 1472 wrote to memory of 4912	1472	Ahdpjn32.exe	95
PID 4912 wrote to memory of 2736	4912	Bgkiaj32.exe	96
PID 4912 wrote to memory of 2736	4912	Bgkiaj32.exe	96
PID 4912 wrote to memory of 2736	4912	Bgkiaj32.exe	96
PID 2736 wrote to memory of 2868	2736	Bdojjo32.exe	97
PID 2736 wrote to memory of 2868	2736	Bdojjo32.exe	97
PID 2736 wrote to memory of 2868	2736	Bdojjo32.exe	97
PID 2868 wrote to memory of 3800	2868	Bklomh32.exe	98
PID 2868 wrote to memory of 3800	2868	Bklomh32.exe	98
PID 2868 wrote to memory of 3800	2868	Bklomh32.exe	98
PID 3800 wrote to memory of 1384	3800	Bdfpkm32.exe	99
PID 3800 wrote to memory of 1384	3800	Bdfpkm32.exe	99
PID 3800 wrote to memory of 1384	3800	Bdfpkm32.exe	99
PID 1384 wrote to memory of 1152	1384	Cponen32.exe	100
PID 1384 wrote to memory of 1152	1384	Cponen32.exe	100
PID 1384 wrote to memory of 1152	1384	Cponen32.exe	100
PID 1152 wrote to memory of 3288	1152	Cgnomg32.exe	101
PID 1152 wrote to memory of 3288	1152	Cgnomg32.exe	101
PID 1152 wrote to memory of 3288	1152	Cgnomg32.exe	101
PID 3288 wrote to memory of 1468	3288	Cacckp32.exe	102
PID 3288 wrote to memory of 1468	3288	Cacckp32.exe	102
PID 3288 wrote to memory of 1468	3288	Cacckp32.exe	102

C:\Users\Admin\AppData\Local\Temp\22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe
"C:\Users\Admin\AppData\Local\Temp\22648af7057605266fe92183cde662c62b4cb335c671739a6abab3eb837d6a81.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\SysWOW64\Pfandnla.exe
  C:\Windows\system32\Pfandnla.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\Qaqegecm.exe
    C:\Windows\system32\Qaqegecm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\Qpeahb32.exe
      C:\Windows\system32\Qpeahb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        14⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 400
        15⤵
        Program crash
        
        PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1468 -ip 1468
1⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
64KB

MD5
26a7dca9da4a75e7432b77ae740d1a1e

SHA1
a76e378174a8013ae5f26ec59da42c5694386730

SHA256
58c34d631e12d0f884946752ddd98d9ef7f603d6c0f7b6ab998983a4d1069eed

SHA512
00a81285ea178047cce604b2c12597b5c91aaf697d14e93d7d88ed14f17f85d3d8d3ec27a7a8f74271faa8154c008fabf0e043e26129df72848fa417bdc1e118

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
64KB

MD5
8538f644540b7056125096e567787b7f

SHA1
6b612e7950176b5ba18663e771dff9293833fd70

SHA256
53dfcfd916266b7d60432f66c7838940fcdef10148015d5c09b5e0ae579f3139

SHA512
ead98ce75a5118635d9539295ad1058c34cdc11f79e161713844f528d4457c3ed5df1ade3cc7283355188b16de0fe9a244725f31ea9b2f88e6e8f5f345a3a2be

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
64KB

MD5
e58b7fd992300b6644496a9d09954a15

SHA1
f7652c7aa198604bebe2eb17878e913e1c05353b

SHA256
fceddfda02846e4b1032daecb2217865318b621d65fdddef8e650f20ad607d3a

SHA512
459130ec12c794554278f4f79ad8bffdeb000ac25fc0d300437752b6806e279ef22006afdf08d701d69b3445bee223d47e5148675f11f335eeda3a75f6457da3

Download Submit
C:\Windows\SysWOW64\Bdojjo32.exe

Filesize
64KB

MD5
0be874b9c4c9e880f071e416cead2855

SHA1
62cd4d30c8e192c3b9401446c378c9d1230b6a52

SHA256
a38d8ca8e22b9ed5c882ae5a430045d0c9d3e66f7a61e9b5ea06fe4930244c28

SHA512
d5f5d902d55a62a45bcb8d9fef73e0ebeed3bc488cb1528c9078ca0b4d46d39695c97fff230f13e165565da3816f45943a4e8d1ebea6c2a39c7075c4ed37805c

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
64KB

MD5
4d7dccd5a1a21d9e6a82a66a30597888

SHA1
5f8f50d08a7ce0bec9fbd24dd6d09a0d20810ba6

SHA256
ba7a061a59e9000dc26ff76f5fa4d45ffd1d1ffa60eed61147725685e371f9c8

SHA512
b174e025e762219b04ab796c54b4adf3ce407e9468d80e77a6ead165a8a6405fa2aa5ba0ec8a5edf325594b553a1d12706b9a25fdb8d99e86e526da2a3296d82

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
64KB

MD5
5e904e9fdc5e217fab37b0287cd3c854

SHA1
a84ed4921ee263f182be6a0b406fd8ee60017230

SHA256
740a7b3ef257c768e1b5291f28265c6141a149524bfc01dd51e4220754765831

SHA512
47510f8ed1a31a39cd67be1ddaa871c047d235fa4b24db6866e54137b94cbcfbf8def113a6fe797ce17680bf48b64b6473152975c7a5fbea4f25ea0d5bda01cb

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
64KB

MD5
9fa1a2166e2c9d68f7277a6a14364465

SHA1
4fa75971844d3a8840e82a421f62f3e0164fc8dd

SHA256
9d9e43d813abe825b9954f02b5119a79b9ba7513e34c728c264109bb9755f344

SHA512
cd88b20b7d71d0ecd97eaa858457337fe9a8569f811c449a5f0e691d00a31c97126cfb1e793e2e287b630ba41fbd9f13d1a8624478396d2d82ed0f6bf73d8bfb

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
64KB

MD5
efb4772879affe31d70f6c62b3b0e5c9

SHA1
bf0a73693937c45f8b3e5fba031375d85bf6e81a

SHA256
185a6dabcdf8653ee45bc96fd941b47c1fde333b8deccb4c8f74ede7ec76d9d0

SHA512
4b536217055d684115b86b403aa6b4b673d3e79d89e3754a15f00d6d6af5dd439a41ae8c8e2dd8bd1c30805c263114d1ce6bf08a558112469ce8479d8dcf68e8

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
64KB

MD5
e28a8c1d74a52a3a243fcab23f86fa97

SHA1
5a93a546fb25c39f7fadfba1f20c64380d9a6ad1

SHA256
26ed310953d982c630341441a4e643481331e6d0decbb276303e2ae8d110292c

SHA512
712766e7912f9308a7e62ef85d73a4369ab71eefddb3fc3aa600d23bcaf34d3e679fb4583b7e8adf7c3bb46d63a2bff3d0b0b1353aff7f843491ffb604f12a27

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
64KB

MD5
7d0924375fcbbe297777c648003e65c0

SHA1
753d9e64ddc68962752961f4c7ae16847b260624

SHA256
2e41614137807fb39b1e1c0100c7de7f48a270c20650ffcdc89f58fb27633aa6

SHA512
63487cb696c42693f32ec39767b0d8f9cacb94bc6fe8d79f81cc455a642299a2c0d09c915b02c01a9d4e92cfc9be2bb32e929cba6d837932242894bc0432292f

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
64KB

MD5
2063b399608b012727aff18703342018

SHA1
35188249405eeff704d7e3aa89d1f225b592ec01

SHA256
2110b7d020ff637c4595c268e4cb305494e5ab86c37490e4654b56e91490553b

SHA512
aca937fa1851eed494c482a850a05ec09d2a6fe2ff81b3c3c6db48f826bebffcb2b008047cbcebb891cf928eec7728e48c64c37f19967040dd1f7671a91d1d6a

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
64KB

MD5
034819e93339a27eeb60920abdb9a298

SHA1
189347ca7d7d857176aecf21aa46235426e22e6a

SHA256
fea39653f4c2512da5e34d87ef19b7a04158580fe086cdffcd5aadb84de23c3a

SHA512
39e51f7627c631053a55ce6f673f24f0631a056e61fc4855c23b94d0343a9c87c64537f8f70335d4e01c038ce9d3a9f8eeaf0eaee632ad824a3a07d5a2d1a861

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
64KB

MD5
17655fe3d5e8e2514b82707b0a8f4052

SHA1
97ae73f37619cbdb7a67807f7adb97b7d1039062

SHA256
1da73744a037f583a79db16d61d84cdf255fe5ec67fb16c146fd583a56f90168

SHA512
0ba75a6952449905b4241f1e6c0790ea43af42e3947cb1b957c1c38d082930507ea9c99b6f6cbab4eb3e25883e985b0c860f00f7c63f57f76f5368fe08ff063f

Download Submit
memory/628-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-106-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads