12538319c20dae2b9d9de4dc4400d9973a0421e8f9cea4c0a6320b48cdb42ab8

Analysis

max time kernel
146s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccbaeada68fff92b48ad9454e4014d27.exe
Size

148KB
MD5

ccbaeada68fff92b48ad9454e4014d27
SHA1

d05cc54f5bfafb33ce72f80ce062516c369ead9a
SHA256

12538319c20dae2b9d9de4dc4400d9973a0421e8f9cea4c0a6320b48cdb42ab8
SHA512

a727b80dfe85c842722d8b62c8a8851b82c5d02d3c393d14f64b383c3307dd1b3e3560d6660afb58dc759836683f0bfac7b604e51a20a75295b18a63c6181a53
SSDEEP

3072:UIydMqKpJT26+8Rze1swpY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:UZcpZ4lpKOdzOdkOdezOd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhplpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ccbaeada68fff92b48ad9454e4014d27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enkmfolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpolbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlkfbocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlkfbocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkmfolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klndfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihkjno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egened32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fajbjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ccbaeada68fff92b48ad9454e4014d27.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egened32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhplpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiacacpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiacacpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmcpoedn.exe

Executes dropped EXE 26 IoCs

pid	Process
1864	Ojomcopk.exe
2108	Palklf32.exe
3792	Apjkcadp.exe
3228	Bddcenpi.exe
3848	Ckebcg32.exe
2116	Cnjdpaki.exe
2488	Dpkmal32.exe
1168	Enkmfolf.exe
2436	Egened32.exe
3324	Fajbjh32.exe
2920	Gpolbo32.exe
1984	Hlkfbocp.exe
1800	Hiacacpg.exe
2324	Ihkjno32.exe
2160	Ilnlom32.exe
640	Jhplpl32.exe
4544	Klndfj32.exe
2004	Koajmepf.exe
4956	Kcoccc32.exe
3260	Lomjicei.exe
1068	Mfpell32.exe
4828	Nmcpoedn.exe
972	Njgqhicg.exe
2592	Ncpeaoih.exe
4292	Opbean32.exe
1608	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajdggc32.dll	Hlkfbocp.exe
File created	C:\Windows\SysWOW64\Clpchk32.dll	Ilnlom32.exe
File opened for modification	C:\Windows\SysWOW64\Klndfj32.exe	Jhplpl32.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	ccbaeada68fff92b48ad9454e4014d27.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Ennamn32.dll	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Enkmfolf.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Jpbhgp32.dll	Enkmfolf.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Apjkcadp.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Cnjdpaki.exe
File opened for modification	C:\Windows\SysWOW64\Ilnlom32.exe	Ihkjno32.exe
File created	C:\Windows\SysWOW64\Kcoccc32.exe	Koajmepf.exe
File created	C:\Windows\SysWOW64\Mfpell32.exe	Lomjicei.exe
File opened for modification	C:\Windows\SysWOW64\Ncpeaoih.exe	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Ojomcopk.exe	ccbaeada68fff92b48ad9454e4014d27.exe
File created	C:\Windows\SysWOW64\Ckebcg32.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Hiacacpg.exe	Hlkfbocp.exe
File created	C:\Windows\SysWOW64\Ncpeaoih.exe	Njgqhicg.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Jicchk32.dll	Kcoccc32.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Likage32.dll	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Cnjdpaki.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Gpolbo32.exe	Fajbjh32.exe
File opened for modification	C:\Windows\SysWOW64\Ihkjno32.exe	Hiacacpg.exe
File created	C:\Windows\SysWOW64\Koajmepf.exe	Klndfj32.exe
File opened for modification	C:\Windows\SysWOW64\Kcoccc32.exe	Koajmepf.exe
File created	C:\Windows\SysWOW64\Fmbdpnaj.dll	Fajbjh32.exe
File created	C:\Windows\SysWOW64\Hlkfbocp.exe	Gpolbo32.exe
File opened for modification	C:\Windows\SysWOW64\Koajmepf.exe	Klndfj32.exe
File created	C:\Windows\SysWOW64\Aepjgm32.dll	ccbaeada68fff92b48ad9454e4014d27.exe
File created	C:\Windows\SysWOW64\Palklf32.exe	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Hlhbih32.dll	Egened32.exe
File opened for modification	C:\Windows\SysWOW64\Gpolbo32.exe	Fajbjh32.exe
File opened for modification	C:\Windows\SysWOW64\Lomjicei.exe	Kcoccc32.exe
File created	C:\Windows\SysWOW64\Njgqhicg.exe	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Egened32.exe	Enkmfolf.exe
File created	C:\Windows\SysWOW64\Olekop32.dll	Hiacacpg.exe
File opened for modification	C:\Windows\SysWOW64\Nmcpoedn.exe	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Mfpell32.exe	Lomjicei.exe
File created	C:\Windows\SysWOW64\Opbean32.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Opbean32.exe
File created	C:\Windows\SysWOW64\Igafkb32.dll	Ojomcopk.exe
File opened for modification	C:\Windows\SysWOW64\Enkmfolf.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Egened32.exe	Enkmfolf.exe
File created	C:\Windows\SysWOW64\Ihkjno32.exe	Hiacacpg.exe
File opened for modification	C:\Windows\SysWOW64\Jhplpl32.exe	Ilnlom32.exe
File created	C:\Windows\SysWOW64\Oipgkfab.dll	Lomjicei.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Opbean32.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Palklf32.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Plmell32.dll	Gpolbo32.exe
File created	C:\Windows\SysWOW64\Lomjicei.exe	Kcoccc32.exe
File opened for modification	C:\Windows\SysWOW64\Hiacacpg.exe	Hlkfbocp.exe
File created	C:\Windows\SysWOW64\Klndfj32.exe	Jhplpl32.exe
File created	C:\Windows\SysWOW64\Jpecpo32.dll	Klndfj32.exe
File opened for modification	C:\Windows\SysWOW64\Njgqhicg.exe	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Fpenlneh.dll	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Jhplpl32.exe	Ilnlom32.exe
File created	C:\Windows\SysWOW64\Qdhlclpe.dll	Jhplpl32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1720	1608	WerFault.exe	115
4316	1608	WerFault.exe	115

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbdpnaj.dll"	Fajbjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlkfbocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmell32.dll"	Gpolbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhplpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipgkfab.dll"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll"	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpenlneh.dll"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiacacpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpecpo32.dll"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiacacpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichelm32.dll"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ccbaeada68fff92b48ad9454e4014d27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfpell32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lomjicei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ccbaeada68fff92b48ad9454e4014d27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enkmfolf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll"	Jhplpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll"	ccbaeada68fff92b48ad9454e4014d27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkmfolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhbih32.dll"	Egened32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpolbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihkjno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ccbaeada68fff92b48ad9454e4014d27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll"	Ihkjno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klndfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olekop32.dll"	Hiacacpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Palklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egened32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 1864	3264	ccbaeada68fff92b48ad9454e4014d27.exe	89
PID 3264 wrote to memory of 1864	3264	ccbaeada68fff92b48ad9454e4014d27.exe	89
PID 3264 wrote to memory of 1864	3264	ccbaeada68fff92b48ad9454e4014d27.exe	89
PID 1864 wrote to memory of 2108	1864	Ojomcopk.exe	90
PID 1864 wrote to memory of 2108	1864	Ojomcopk.exe	90
PID 1864 wrote to memory of 2108	1864	Ojomcopk.exe	90
PID 2108 wrote to memory of 3792	2108	Palklf32.exe	91
PID 2108 wrote to memory of 3792	2108	Palklf32.exe	91
PID 2108 wrote to memory of 3792	2108	Palklf32.exe	91
PID 3792 wrote to memory of 3228	3792	Apjkcadp.exe	92
PID 3792 wrote to memory of 3228	3792	Apjkcadp.exe	92
PID 3792 wrote to memory of 3228	3792	Apjkcadp.exe	92
PID 3228 wrote to memory of 3848	3228	Bddcenpi.exe	93
PID 3228 wrote to memory of 3848	3228	Bddcenpi.exe	93
PID 3228 wrote to memory of 3848	3228	Bddcenpi.exe	93
PID 3848 wrote to memory of 2116	3848	Ckebcg32.exe	94
PID 3848 wrote to memory of 2116	3848	Ckebcg32.exe	94
PID 3848 wrote to memory of 2116	3848	Ckebcg32.exe	94
PID 2116 wrote to memory of 2488	2116	Cnjdpaki.exe	95
PID 2116 wrote to memory of 2488	2116	Cnjdpaki.exe	95
PID 2116 wrote to memory of 2488	2116	Cnjdpaki.exe	95
PID 2488 wrote to memory of 1168	2488	Dpkmal32.exe	96
PID 2488 wrote to memory of 1168	2488	Dpkmal32.exe	96
PID 2488 wrote to memory of 1168	2488	Dpkmal32.exe	96
PID 1168 wrote to memory of 2436	1168	Enkmfolf.exe	97
PID 1168 wrote to memory of 2436	1168	Enkmfolf.exe	97
PID 1168 wrote to memory of 2436	1168	Enkmfolf.exe	97
PID 2436 wrote to memory of 3324	2436	Egened32.exe	98
PID 2436 wrote to memory of 3324	2436	Egened32.exe	98
PID 2436 wrote to memory of 3324	2436	Egened32.exe	98
PID 3324 wrote to memory of 2920	3324	Fajbjh32.exe	99
PID 3324 wrote to memory of 2920	3324	Fajbjh32.exe	99
PID 3324 wrote to memory of 2920	3324	Fajbjh32.exe	99
PID 2920 wrote to memory of 1984	2920	Gpolbo32.exe	100
PID 2920 wrote to memory of 1984	2920	Gpolbo32.exe	100
PID 2920 wrote to memory of 1984	2920	Gpolbo32.exe	100
PID 1984 wrote to memory of 1800	1984	Hlkfbocp.exe	101
PID 1984 wrote to memory of 1800	1984	Hlkfbocp.exe	101
PID 1984 wrote to memory of 1800	1984	Hlkfbocp.exe	101
PID 1800 wrote to memory of 2324	1800	Hiacacpg.exe	102
PID 1800 wrote to memory of 2324	1800	Hiacacpg.exe	102
PID 1800 wrote to memory of 2324	1800	Hiacacpg.exe	102
PID 2324 wrote to memory of 2160	2324	Ihkjno32.exe	103
PID 2324 wrote to memory of 2160	2324	Ihkjno32.exe	103
PID 2324 wrote to memory of 2160	2324	Ihkjno32.exe	103
PID 2160 wrote to memory of 640	2160	Ilnlom32.exe	104
PID 2160 wrote to memory of 640	2160	Ilnlom32.exe	104
PID 2160 wrote to memory of 640	2160	Ilnlom32.exe	104
PID 640 wrote to memory of 4544	640	Jhplpl32.exe	105
PID 640 wrote to memory of 4544	640	Jhplpl32.exe	105
PID 640 wrote to memory of 4544	640	Jhplpl32.exe	105
PID 4544 wrote to memory of 2004	4544	Klndfj32.exe	106
PID 4544 wrote to memory of 2004	4544	Klndfj32.exe	106
PID 4544 wrote to memory of 2004	4544	Klndfj32.exe	106
PID 2004 wrote to memory of 4956	2004	Koajmepf.exe	107
PID 2004 wrote to memory of 4956	2004	Koajmepf.exe	107
PID 2004 wrote to memory of 4956	2004	Koajmepf.exe	107
PID 4956 wrote to memory of 3260	4956	Kcoccc32.exe	108
PID 4956 wrote to memory of 3260	4956	Kcoccc32.exe	108
PID 4956 wrote to memory of 3260	4956	Kcoccc32.exe	108
PID 3260 wrote to memory of 1068	3260	Lomjicei.exe	109
PID 3260 wrote to memory of 1068	3260	Lomjicei.exe	109
PID 3260 wrote to memory of 1068	3260	Lomjicei.exe	109
PID 1068 wrote to memory of 4828	1068	Mfpell32.exe	110

C:\Users\Admin\AppData\Local\Temp\ccbaeada68fff92b48ad9454e4014d27.exe
"C:\Users\Admin\AppData\Local\Temp\ccbaeada68fff92b48ad9454e4014d27.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\SysWOW64\Ojomcopk.exe
  C:\Windows\system32\Ojomcopk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\Palklf32.exe
    C:\Windows\system32\Palklf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\Apjkcadp.exe
      C:\Windows\system32\Apjkcadp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        27⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 400
        28⤵
        Program crash
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 400
        28⤵
        Program crash
        
        PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1608 -ip 1608
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
148KB

MD5
88487e7c01114716ed5da2fc51754b5d

SHA1
13c6a8dc196674be1fd442174d632eb620a5a47b

SHA256
1e0896e7f1490b88a1b17aec4012f83ed0f21ab2c13b323ecd8d0973774495c6

SHA512
22c70fc6ade96a2b2bfc518e07b0de877d175a980c56fb5e78fc3d4273a9997c0f441989f1bd9df2f55a653419a8b4114019cd1892be6e3b8874e6c6195b4d28

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
148KB

MD5
36e04123172e40ef1cd6deec2cdc0815

SHA1
76b1cccf1d034abb36d284d48e98e1f8aa1fc4b5

SHA256
2975ee82bebec19366a6ce514aa1c31de06083f1faeb02b9c95e89dbf2179299

SHA512
7750f207f636aa167de419edebfb6d2365370e1e2d78f17bc83af32e6a5568a960b38944c4e2b14269622769818ac6d60a4735a4dec28f3c0e6670881b0db393

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
148KB

MD5
6426ef5b1f080d2fd2489ebc3329e327

SHA1
ec5b5a35228f4b19efea42ff67b854431f7b5db9

SHA256
6c73590e043f0257745d2551f47f906cabeb5f3b1ef57a1615d2c88878c65d1d

SHA512
930b5bb127bfda66d7f63e8f983a6c1ccf3ad9adbc41bc7aa310314b6393878a2f416debfb13033e5b2e0a558ebaf15152218294eee929caca16736f97a950ae

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
148KB

MD5
216bc20a68f5f985971f154cfbdeb2b9

SHA1
e820749bc2f55fe1d10bf2a268ee98421b433628

SHA256
3e66876241760b97a089587d69d311eb9ee19f1666043c9876741bc47ed721a5

SHA512
dd11b870ffa313a736b93f5b099a226423407e0d5f2a11bd09d7fa11aa236d7f9f1c2b6696f1492d50f05af7bd1e8ee65fbe76bcbed5f2470a2f2e03f8f7d785

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
148KB

MD5
fd9b061c305de0dedf845f67d3573c87

SHA1
e41d1bcf174a7d53a34f1c1de08ad1f813937e56

SHA256
5a051a4db418002dd8fe0e669b16464820a68c0010f7878fa7a9a3a4c50cf6c2

SHA512
96a1447fd5c01e8e735f6d95616ff3020976584c362f6919f8df0e03f0a5bcf2144e91773ce3f21cc83b727f1848cf27b0d93d9c3b0c05f993760243fdfccb47

Download Submit
C:\Windows\SysWOW64\Egened32.exe

Filesize
148KB

MD5
d166a6158b87ecb94137b25a31357b9a

SHA1
7862fae3ee2e1a1a3295eb67193f9e56d3408a48

SHA256
aec9b88f6c40bc96602968aeb757b29d99d8b000caf7e8932234fb64ddb8903a

SHA512
7f83161bd08df7f1329964ba822e509880c59045922c3c20f6b8d6364a64bc65b57205f0fe00281182cb72c02fb731c910877c1c0b5fd2ca1336e70437ac86ea

Download Submit
C:\Windows\SysWOW64\Enkmfolf.exe

Filesize
148KB

MD5
691b9599f4edbc99647ab6e7167e37f7

SHA1
fe1830a6ce4bbbfbc738adb7fb7457ea273ea825

SHA256
2a46218cae6feb2522cec598af8e828295d60c27ec42554e534fb250ffa4fcac

SHA512
dfa11d67d2c261e7f035f3a0cdfadf7fd841186852e323999d8f7efb49e9f5c211184195b4863d75809ed36cb5598a49e7cbc5f0026c724e93a9d7e7f07887fa

Download Submit
C:\Windows\SysWOW64\Fajbjh32.exe

Filesize
148KB

MD5
52c35eb922d78bf8b801f7cafe138e1a

SHA1
6931ce2b9b95e1ca2e79aae144e3cfd6ed9f5c16

SHA256
097a8b131ec93e2a5859970fb126f60da2cb0a2eb1b6e6fc2fae002fa4c1e176

SHA512
ae7e2057ae9d7fb8bdd586d62500e738f214db6655f9526958ec75a4bfc2ff12637d29ba5eecc95cd83f3b3e11ed567b0aaf6a5e8b304b4f38beb664cf7e7ff8

Download Submit
C:\Windows\SysWOW64\Gpolbo32.exe

Filesize
148KB

MD5
52564d5f6515227ecde61b8ef9d18d84

SHA1
c48c1d5c730bfbdf7697bc18bc70c0e8b226121b

SHA256
fbb3658eaa7de9932e09b3de05912f028360ee041612b6271042fa7e4bcc0a3d

SHA512
153d326f96a8d6b002abe87408b7a648c963a78c603f79b13c6d0db1d9ec0e04a0a26411ed47e997fdb58145b3120ac471115e534e38fe8db2439b0584501e73

Download Submit
C:\Windows\SysWOW64\Hiacacpg.exe

Filesize
148KB

MD5
3aba7f4534d2f0b2d039e5b0c9f862a6

SHA1
81b1384fc9c1710be3340ad7c674d6ef7df1182e

SHA256
cd1768d2581e7b9cfc54a14876cfc80396ae3655503e5506fea7de64a5af2cf6

SHA512
5eb4871edf254f89b2d731b3d613fac3c51af9c1604381f2a424b98a5cc14a3fdaee0fbf2c5cd5361774bbd51b8df7267780f5ac043cd3a6b2bb16a93425deda

Download Submit
C:\Windows\SysWOW64\Hlkfbocp.exe

Filesize
148KB

MD5
2b2860bfcdbf40e7da36e8128dcef93a

SHA1
8462c1695805071a4ea36b3047e14529f88a30d2

SHA256
f4238f42dd2545a89254a4b7f8c7a489d2d9bf7caa42b60f7a8d7de2308353c1

SHA512
63a23ea2ffee1b2d7df1aafd6f52aca73d16506e4b31edb06964ca09c71fa445bde597d93ddba3870bb089f2a0bd46038851c86302cf4f5edb2bb10aa0aeb9a2

Download Submit
C:\Windows\SysWOW64\Ihkjno32.exe

Filesize
148KB

MD5
b3d47f35616aff63d044637ae4155fb1

SHA1
85408db2e5598768b432c5ae4caea0d308ce85cd

SHA256
7fb531cc814d3df7c5cd23c4d0dc55b17e4c23668d9f77d55b8b92f2b544c803

SHA512
16e1cea45b20dcfb54d98670e31626f38e51cb54254f1c539b74ab1b4c83a15eb8e607b08742166b4157751f897ac7138d04e532b3058d74e02f30997c32003e

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
148KB

MD5
f16ced377376625dd51b97263c78496e

SHA1
6d19be0df3334bf41ba4e2d4748cc2aba7b420f1

SHA256
5655d29330c4c87ef8d7335b2ab10bd9ccbba485ac84b063df94ea67b98df447

SHA512
c94d086cb5cdfd8c1c567fb0149b017212addec64e698d6f6f7443c551587be1be30427f6807c89b0b8fdfbb59fe320b3a12531a565b371df0147d04794a3453

Download Submit
C:\Windows\SysWOW64\Jhplpl32.exe

Filesize
148KB

MD5
0e52b44f34155d957aa5940eab277793

SHA1
9e1b62cce6bc58bfabf186ca32ab9c66aa137bae

SHA256
5a0a036bc95a51fcc77f5ac5a2226f769d06ae284eb63fcf6530e1c39fabea9f

SHA512
7d65018a43b44f396c9c962871036aaed114fa9433aae2cafbd4f3a94b2bc4bc3c1351f8d68decefec7446639e18866be829eb09a41f695e23a34626b66c33e8

Download Submit
C:\Windows\SysWOW64\Kcoccc32.exe

Filesize
148KB

MD5
7e367d44a918caad679bc0ced45fcf74

SHA1
c4170c9daf838912ac55818110cc11c9dc572c03

SHA256
10647b127fc04eea249af4851f5b32f15f1375c2b2f83708a595d7e44f1da141

SHA512
4e9edd97aead6780c9b0244fda35f210184f1101219a523ce4eab773f4d6edd19ffa3e6988f90fb4c18a8c063fca7e1e542581448d81615b0b949b370b1eed5c

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
148KB

MD5
fda0d767b08d206d2676030d8d3779f0

SHA1
6c925b0e7534f68316ad0baa30f0df8257bd6049

SHA256
cdb91ca4f6fd1bfba097e4bcc637a97f32eed3ec6f4f9f606c0c4b38627d6150

SHA512
8895122bc7dcdead36e3c39191344ab32adb20b75af8e6083069d933063dbbc0155295a4b4e9ee3006b2152118b92f878038cd9789d6f4fb85ac4085bcc495c4

Download Submit
C:\Windows\SysWOW64\Koajmepf.exe

Filesize
148KB

MD5
e9c68e242545d747325a6606496fbb21

SHA1
bcefa8afdd09aef7814e32ac81b4564a1d811e50

SHA256
468e7d3e4b778c23c8fe12a413c1457aa1127b4874bc24f5ed8dd04ec788a1e6

SHA512
78d7b47ab65bd42deed1f8a7ea0ef54006fdf61e421a2760ece360f853fb6b7edf1638d567488fb322239eb7d2257271f2aaed375d1f4e4ce6195d85949f0c3f

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
148KB

MD5
a9bc79d4d4521e4cfa0c73378b1cc86f

SHA1
a15f63cfc6d677ed9d3b2dcb48770a292c0cef33

SHA256
6e09a79aaff849c86172491413db97c0298dc70bc9295bfcb8ee52348e09b3b1

SHA512
9ebf500679614b44c73372940eaad20bcdf63528210afb1fcb5fc87740c44ad1744e9e8d8fcbde2c6c6f994d68592260cff47857689eaf75c54dc214c3a7c2dc

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
64KB

MD5
8d12fc9b45e57381e7c592be2af43bf7

SHA1
f2ff156521df947dfd1ee87440aa2e5c3e7eea25

SHA256
9cc6573052a3a89ee92b2a48627bee538d2b9efb3421d30164ae28373bad2d80

SHA512
c7065e100136bedbd432ec2bbac3f8335dfaf002b53b0102477cdc7670dfd72e90e4707d32bbfc345adf45aae482a5efb4526186af7cec5f15eaf7b6a7b290b9

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
148KB

MD5
b2c0a7eaaf3b2bc19e44ff3b1f63baf0

SHA1
396055f232b1cfb44c750921fad9c7b8561a0ca0

SHA256
1879f3559b01ced5ee3d0c4c888b8ed1c8312a5aabe33490f2122df596d8846e

SHA512
3e02ac434389c926dc388de8592ccd435b6a60c775b901fe7d43a95cf5bc3834836fe86e410e40c24f7d9a9219dcc8e03762b71e5806f7af320e7e74277e965e

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
148KB

MD5
fe97030e21fe1f6314f400f883b82076

SHA1
eefffe02f92f393bd739340a69d1fbe68fe35ce5

SHA256
66899145e0fae05d9fc769ecb2a159347f777eb486b478eacd4e30175f0d6e77

SHA512
7be84b88b1f24e316d2beeb155672997abc4c3efaf6aa0f24e2677550c6af8b78a0b67b72839880b55422f0362284c520bf299de78785a1f4045d0849286bbef

Download Submit
C:\Windows\SysWOW64\Njgqhicg.exe

Filesize
148KB

MD5
f4fee71e5459675d4bc21cab7c0f5f69

SHA1
5cc6ad858496a51c216044333ae55895cb563adb

SHA256
757c9fdf1c0caf95e1c9513b467863e834b33b40024a07044ecabf93ef923e77

SHA512
f124b205d2ebbec3f92b1a6cb9878a2a95d0cdb053ccb89d21cef8b471d7d3a3387d39828ef4e9559987e1cf3ca3f956233062aaa255f472284dbbc496738c81

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
148KB

MD5
28419ccde96426b04dd87da7112f88ee

SHA1
24a25824e41ad10b28990c026931c31bbdd1670d

SHA256
1d6db3be5beb5dd781ea4d913adacd98bec243a98a5846796f2bb3bf88020f00

SHA512
85f4fb89ddb1c73bb0a43c396118efbd3d940f4d31e7bbc9cf2d9831dffce20ec52b9c24cc6b43e884b2a1f8c7822c0d155b5d9db0a4c585720ab9141c8b9a7f

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
148KB

MD5
f59ce5e6f1db5894e8d34f91d782065c

SHA1
0490e7cf745d2d59618ad438136b7f4d1566996b

SHA256
cbfda6e99e5f216dd4f61b9bd9bab8f94d190a2ac0de459ecb3584218f5c2af4

SHA512
991e1017f0a33631dee08640f0a3e76125d82fb7d483fb9db01fdcb4172c23ba9adc7b2bf0a5e5c46b13bba3238e97ca7bd12e80615d64a94b50ead27a9f9cf1

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
148KB

MD5
e62a61ac33ea282e2383265f40176ed1

SHA1
2cdf14f7015993a39aa2277a8b4357f2af69c493

SHA256
7fcc7c2bca0d435b4ab39639052f335db78b4c91331c8290d2d5f3870888fd89

SHA512
9feef7d8b41232316db2d64a1cb688e8c802f5b67c126ecc341177f07726b1d097a3c41ca2fa6d925e026f5a84cbcd21a97fc244f070b43833c286b35c2fd3a5

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
148KB

MD5
fd234ed2de6e1055cf80678e87b03a67

SHA1
033f33a5a10f6af7772b18311aab5b469e1743ec

SHA256
eb2250dbf2b049bac03d30fc0d978761da67d6b376c7a4d46f98f31dd0b948ef

SHA512
40e406d3e5b5247de304764e82466a2b5a9914a94b888edffaa5715204e933177c37be95184cf614f8640de39c569a891fe292afbaa13ecc1e63024e67795e1a

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
148KB

MD5
19756070259e6aa314dc603c4fe4097e

SHA1
d7691944b7c1d4c00796bdb76daf28a837a36852

SHA256
5e2c26dadac7fc8fb700e1ca75baded36b8562898cc1353d9ecb914e4672eec9

SHA512
ad0fbfa57612eea8689a5bedbde27794a40fe9dc0f423e1af7fbabbdc237412f7f7ab53810a0690bdc3d12a111d07cd716001ccf7b2f6fc8881ecdb43ed94afe

Download Submit
memory/640-129-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/640-309-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/972-325-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/972-186-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1068-321-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1068-171-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1168-288-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1168-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1608-338-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1608-225-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1800-106-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1800-303-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1864-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1864-273-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1984-301-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1984-97-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2004-146-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2004-315-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-275-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2116-284-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2116-49-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2160-307-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2160-122-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2324-113-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2324-305-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2436-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2436-290-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2488-286-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2488-58-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2592-194-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2592-329-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2920-295-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2920-89-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3228-281-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3228-33-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3260-162-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3260-319-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3264-270-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3264-81-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3264-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3264-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3324-297-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3792-25-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3792-276-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3848-282-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3848-42-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4292-332-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4292-204-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4544-311-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4544-138-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4828-323-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4828-179-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4956-317-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4956-155-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads