berbew | fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Size

93KB
MD5

cd63083d7c3e88918646e3388af6ecb0
SHA1

afe0d93c5d41aa5f6621aed9df20f40cbdc446fe
SHA256

fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3
SHA512

80e94c302bb2a25748ccd2e6da3fc2641854d651ba75515c322f7776b411c367efc3b31a7dc66ac14936c67dd28863449e300c0a3ef1683f4d4a1badf0ff4c1a
SSDEEP

1536:2LQqMDPNOF6439Rjn0ffYSOgNj1DaYfMZRWuLsV+1B:Q8D4Ac0ffNNBgYfc0DV+1B

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcnhcdkp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcqdidim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njobpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikpgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgocek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcnhcdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcqdidim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqgahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqgahh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njobpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddagi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgejidgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghgocek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglmifca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddagi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngoinfao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgjpcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kghkppbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kikpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgejidgn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngoinfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kghkppbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchjjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofklpa32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 18 IoCs

pid	Process
2288	Kghkppbp.exe
2920	Kikpgk32.exe
2456	Lddagi32.exe
1720	Lgejidgn.exe
1048	Lghgocek.exe
2608	Lcnhcdkp.exe
2252	Lcqdidim.exe
1484	Mqgahh32.exe
3040	Mchjjc32.exe
2064	Mbmgkp32.exe
2004	Mgjpcf32.exe
1448	Nglmifca.exe
1108	Ngoinfao.exe
2908	Njobpa32.exe
1652	Nffcebdd.exe
848	Ojdlkp32.exe
2012	Ofklpa32.exe
2584	Ohnemidj.exe

Loads dropped DLL 40 IoCs

pid	Process
2380	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
2380	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
2288	Kghkppbp.exe
2288	Kghkppbp.exe
2920	Kikpgk32.exe
2920	Kikpgk32.exe
2456	Lddagi32.exe
2456	Lddagi32.exe
1720	Lgejidgn.exe
1720	Lgejidgn.exe
1048	Lghgocek.exe
1048	Lghgocek.exe
2608	Lcnhcdkp.exe
2608	Lcnhcdkp.exe
2252	Lcqdidim.exe
2252	Lcqdidim.exe
1484	Mqgahh32.exe
1484	Mqgahh32.exe
3040	Mchjjc32.exe
3040	Mchjjc32.exe
2064	Mbmgkp32.exe
2064	Mbmgkp32.exe
2004	Mgjpcf32.exe
2004	Mgjpcf32.exe
1448	Nglmifca.exe
1448	Nglmifca.exe
1108	Ngoinfao.exe
1108	Ngoinfao.exe
2908	Njobpa32.exe
2908	Njobpa32.exe
1652	Nffcebdd.exe
1652	Nffcebdd.exe
848	Ojdlkp32.exe
848	Ojdlkp32.exe
2012	Ofklpa32.exe
2012	Ofklpa32.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mchjjc32.exe	Mqgahh32.exe
File created	C:\Windows\SysWOW64\Mbmgkp32.exe	Mchjjc32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Ofklpa32.exe
File opened for modification	C:\Windows\SysWOW64\Lgejidgn.exe	Lddagi32.exe
File opened for modification	C:\Windows\SysWOW64\Lcnhcdkp.exe	Lghgocek.exe
File created	C:\Windows\SysWOW64\Lgejidgn.exe	Lddagi32.exe
File opened for modification	C:\Windows\SysWOW64\Lghgocek.exe	Lgejidgn.exe
File created	C:\Windows\SysWOW64\Kebdmn32.dll	Lgejidgn.exe
File created	C:\Windows\SysWOW64\Lcnhcdkp.exe	Lghgocek.exe
File created	C:\Windows\SysWOW64\Dncodq32.dll	Lcqdidim.exe
File created	C:\Windows\SysWOW64\Nglmifca.exe	Mgjpcf32.exe
File created	C:\Windows\SysWOW64\Jceahq32.dll	Ngoinfao.exe
File opened for modification	C:\Windows\SysWOW64\Lcqdidim.exe	Lcnhcdkp.exe
File created	C:\Windows\SysWOW64\Mqgahh32.exe	Lcqdidim.exe
File created	C:\Windows\SysWOW64\Lghgocek.exe	Lgejidgn.exe
File opened for modification	C:\Windows\SysWOW64\Kghkppbp.exe	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
File created	C:\Windows\SysWOW64\Ldbjfdld.dll	Kghkppbp.exe
File opened for modification	C:\Windows\SysWOW64\Mqgahh32.exe	Lcqdidim.exe
File created	C:\Windows\SysWOW64\Mchjjc32.exe	Mqgahh32.exe
File created	C:\Windows\SysWOW64\Kahmln32.dll	Mchjjc32.exe
File created	C:\Windows\SysWOW64\Kghkppbp.exe	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
File created	C:\Windows\SysWOW64\Ncmbldke.dll	Lddagi32.exe
File created	C:\Windows\SysWOW64\Dkfdpa32.dll	Mqgahh32.exe
File opened for modification	C:\Windows\SysWOW64\Mbmgkp32.exe	Mchjjc32.exe
File opened for modification	C:\Windows\SysWOW64\Kikpgk32.exe	Kghkppbp.exe
File created	C:\Windows\SysWOW64\Ngoinfao.exe	Nglmifca.exe
File created	C:\Windows\SysWOW64\Ojdlkp32.exe	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Ofklpa32.exe	Ojdlkp32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Jmifofko.dll	Kikpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Njobpa32.exe	Ngoinfao.exe
File created	C:\Windows\SysWOW64\Fdldjnpc.dll	Lghgocek.exe
File created	C:\Windows\SysWOW64\Lcqdidim.exe	Lcnhcdkp.exe
File opened for modification	C:\Windows\SysWOW64\Mgjpcf32.exe	Mbmgkp32.exe
File created	C:\Windows\SysWOW64\Ofilmn32.dll	Mbmgkp32.exe
File created	C:\Windows\SysWOW64\Kikpgk32.exe	Kghkppbp.exe
File created	C:\Windows\SysWOW64\Keniknoh.dll	Ojdlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Nglmifca.exe	Mgjpcf32.exe
File created	C:\Windows\SysWOW64\Ceahlg32.dll	Mgjpcf32.exe
File created	C:\Windows\SysWOW64\Gdfpegkn.dll	Nglmifca.exe
File created	C:\Windows\SysWOW64\Gaijph32.dll	Njobpa32.exe
File created	C:\Windows\SysWOW64\Plgojd32.dll	Nffcebdd.exe
File opened for modification	C:\Windows\SysWOW64\Ofklpa32.exe	Ojdlkp32.exe
File created	C:\Windows\SysWOW64\Mgjpcf32.exe	Mbmgkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lddagi32.exe	Kikpgk32.exe
File created	C:\Windows\SysWOW64\Lddagi32.exe	Kikpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ojdlkp32.exe	Nffcebdd.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Bplmhi32.dll	Lcnhcdkp.exe
File opened for modification	C:\Windows\SysWOW64\Ngoinfao.exe	Nglmifca.exe
File created	C:\Windows\SysWOW64\Njobpa32.exe	Ngoinfao.exe
File created	C:\Windows\SysWOW64\Nffcebdd.exe	Njobpa32.exe
File opened for modification	C:\Windows\SysWOW64\Nffcebdd.exe	Njobpa32.exe
File created	C:\Windows\SysWOW64\Qooplh32.dll	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	2584	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjpcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglmifca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nffcebdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgejidgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgocek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnhcdkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqgahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmgkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofklpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kghkppbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddagi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcqdidim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchjjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikpgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngoinfao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njobpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdlkp32.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebdmn32.dll"	Lgejidgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll"	Lghgocek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmbldke.dll"	Lddagi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfdpa32.dll"	Mqgahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqgahh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcnhcdkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngoinfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmifofko.dll"	Kikpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgojd32.dll"	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jceahq32.dll"	Ngoinfao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcqdidim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddagi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgejidgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nglmifca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njobpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahmln32.dll"	Mchjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qooplh32.dll"	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kghkppbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaijph32.dll"	Njobpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqgahh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchjjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kghkppbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngoinfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keniknoh.dll"	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfpegkn.dll"	Nglmifca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgejidgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghgocek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplmhi32.dll"	Lcnhcdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofilmn32.dll"	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kikpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dncodq32.dll"	Lcqdidim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcqdidim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchjjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcnhcdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbjfdld.dll"	Kghkppbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kikpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghgocek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll"	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nglmifca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddagi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2288	2380	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe	29
PID 2380 wrote to memory of 2288	2380	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe	29
PID 2380 wrote to memory of 2288	2380	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe	29
PID 2380 wrote to memory of 2288	2380	fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe	29
PID 2288 wrote to memory of 2920	2288	Kghkppbp.exe	30
PID 2288 wrote to memory of 2920	2288	Kghkppbp.exe	30
PID 2288 wrote to memory of 2920	2288	Kghkppbp.exe	30
PID 2288 wrote to memory of 2920	2288	Kghkppbp.exe	30
PID 2920 wrote to memory of 2456	2920	Kikpgk32.exe	31
PID 2920 wrote to memory of 2456	2920	Kikpgk32.exe	31
PID 2920 wrote to memory of 2456	2920	Kikpgk32.exe	31
PID 2920 wrote to memory of 2456	2920	Kikpgk32.exe	31
PID 2456 wrote to memory of 1720	2456	Lddagi32.exe	32
PID 2456 wrote to memory of 1720	2456	Lddagi32.exe	32
PID 2456 wrote to memory of 1720	2456	Lddagi32.exe	32
PID 2456 wrote to memory of 1720	2456	Lddagi32.exe	32
PID 1720 wrote to memory of 1048	1720	Lgejidgn.exe	33
PID 1720 wrote to memory of 1048	1720	Lgejidgn.exe	33
PID 1720 wrote to memory of 1048	1720	Lgejidgn.exe	33
PID 1720 wrote to memory of 1048	1720	Lgejidgn.exe	33
PID 1048 wrote to memory of 2608	1048	Lghgocek.exe	34
PID 1048 wrote to memory of 2608	1048	Lghgocek.exe	34
PID 1048 wrote to memory of 2608	1048	Lghgocek.exe	34
PID 1048 wrote to memory of 2608	1048	Lghgocek.exe	34
PID 2608 wrote to memory of 2252	2608	Lcnhcdkp.exe	35
PID 2608 wrote to memory of 2252	2608	Lcnhcdkp.exe	35
PID 2608 wrote to memory of 2252	2608	Lcnhcdkp.exe	35
PID 2608 wrote to memory of 2252	2608	Lcnhcdkp.exe	35
PID 2252 wrote to memory of 1484	2252	Lcqdidim.exe	36
PID 2252 wrote to memory of 1484	2252	Lcqdidim.exe	36
PID 2252 wrote to memory of 1484	2252	Lcqdidim.exe	36
PID 2252 wrote to memory of 1484	2252	Lcqdidim.exe	36
PID 1484 wrote to memory of 3040	1484	Mqgahh32.exe	37
PID 1484 wrote to memory of 3040	1484	Mqgahh32.exe	37
PID 1484 wrote to memory of 3040	1484	Mqgahh32.exe	37
PID 1484 wrote to memory of 3040	1484	Mqgahh32.exe	37
PID 3040 wrote to memory of 2064	3040	Mchjjc32.exe	38
PID 3040 wrote to memory of 2064	3040	Mchjjc32.exe	38
PID 3040 wrote to memory of 2064	3040	Mchjjc32.exe	38
PID 3040 wrote to memory of 2064	3040	Mchjjc32.exe	38
PID 2064 wrote to memory of 2004	2064	Mbmgkp32.exe	39
PID 2064 wrote to memory of 2004	2064	Mbmgkp32.exe	39
PID 2064 wrote to memory of 2004	2064	Mbmgkp32.exe	39
PID 2064 wrote to memory of 2004	2064	Mbmgkp32.exe	39
PID 2004 wrote to memory of 1448	2004	Mgjpcf32.exe	40
PID 2004 wrote to memory of 1448	2004	Mgjpcf32.exe	40
PID 2004 wrote to memory of 1448	2004	Mgjpcf32.exe	40
PID 2004 wrote to memory of 1448	2004	Mgjpcf32.exe	40
PID 1448 wrote to memory of 1108	1448	Nglmifca.exe	41
PID 1448 wrote to memory of 1108	1448	Nglmifca.exe	41
PID 1448 wrote to memory of 1108	1448	Nglmifca.exe	41
PID 1448 wrote to memory of 1108	1448	Nglmifca.exe	41
PID 1108 wrote to memory of 2908	1108	Ngoinfao.exe	42
PID 1108 wrote to memory of 2908	1108	Ngoinfao.exe	42
PID 1108 wrote to memory of 2908	1108	Ngoinfao.exe	42
PID 1108 wrote to memory of 2908	1108	Ngoinfao.exe	42
PID 2908 wrote to memory of 1652	2908	Njobpa32.exe	43
PID 2908 wrote to memory of 1652	2908	Njobpa32.exe	43
PID 2908 wrote to memory of 1652	2908	Njobpa32.exe	43
PID 2908 wrote to memory of 1652	2908	Njobpa32.exe	43
PID 1652 wrote to memory of 848	1652	Nffcebdd.exe	44
PID 1652 wrote to memory of 848	1652	Nffcebdd.exe	44
PID 1652 wrote to memory of 848	1652	Nffcebdd.exe	44
PID 1652 wrote to memory of 848	1652	Nffcebdd.exe	44

C:\Users\Admin\AppData\Local\Temp\fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe
"C:\Users\Admin\AppData\Local\Temp\fdf171fab6ab88bf8ca8c79ac5865d8e56ed70e90b5c74b72576f40ce4aee5e3N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\Kghkppbp.exe
  C:\Windows\system32\Kghkppbp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\Kikpgk32.exe
    C:\Windows\system32\Kikpgk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\Lddagi32.exe
      C:\Windows\system32\Lddagi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\Lgejidgn.exe
        
        C:\Windows\system32\Lgejidgn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\SysWOW64\Lghgocek.exe
        
        C:\Windows\system32\Lghgocek.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Lcnhcdkp.exe
        
        C:\Windows\system32\Lcnhcdkp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Lcqdidim.exe
        
        C:\Windows\system32\Lcqdidim.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Mqgahh32.exe
        
        C:\Windows\system32\Mqgahh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Mchjjc32.exe
        
        C:\Windows\system32\Mchjjc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Mbmgkp32.exe
        
        C:\Windows\system32\Mbmgkp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Mgjpcf32.exe
        
        C:\Windows\system32\Mgjpcf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Nglmifca.exe
        
        C:\Windows\system32\Nglmifca.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Ngoinfao.exe
        
        C:\Windows\system32\Ngoinfao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Njobpa32.exe
        
        C:\Windows\system32\Njobpa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Nffcebdd.exe
        
        C:\Windows\system32\Nffcebdd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Ojdlkp32.exe
        
        C:\Windows\system32\Ojdlkp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Ofklpa32.exe
        
        C:\Windows\system32\Ofklpa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcqdidim.exe

Filesize
93KB

MD5
291073e2205c85bae94b4a9625a339f1

SHA1
4b0b804d62a91685e672525c2af88209e6e87579

SHA256
d3130007aad9555edf58e875e058ef6768f7b8cacd1cd880941d49454681593d

SHA512
3f5d4d1e3f83c9d67d78729d42c6ac5e3314dde8962a2f55a8bf3d81b6e84a1b678277df4b60b055e6e5af2182ce3017c57c3daeb3c1578b9fee55fb1d3d46e2

Download Submit
C:\Windows\SysWOW64\Ofklpa32.exe

Filesize
93KB

MD5
d980ee84be040e3e5996fd5781d56c59

SHA1
9916ea2f0c1fee809e4cff81f98419aab678408a

SHA256
bda815162722553de8a2f913190b86036c2335dc7763a6144919802288a46528

SHA512
f5296d820d6698ce646055078e654a27af8524628a104b90e8a169a1552678eac8a3535df68cbe1cebf2dd43746bc955576fc37b728adbab00b0cdf9abaf4b97

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
93KB

MD5
7707ac3b9f5b13597d141e71425480fd

SHA1
3ca7ca6ea0fe552d6a3516646aa4c4163c6f6db0

SHA256
0c18e10f54c8ddf7f4a5a75667d110091cd61425d2e56f7492820e6fe5424430

SHA512
f39600b87d8c603dc543a7503f3fd1d0787ce027277979ab7e20d7c8d93d1210a05d699e78153ff3a2c4f860193fdf101460e8f6f19138eade746bf127c3c585

Download Submit
\Windows\SysWOW64\Kghkppbp.exe

Filesize
93KB

MD5
93a51dd2310e84b11654bbf5185512b8

SHA1
fdd9d861f877cc8ae0ee37ee9b7ec725e2ee300b

SHA256
5a84409d1ff9a80bba967de93eafb7f31d3c6ea81c9742eb5aa49ec31ea2c4d2

SHA512
0ab1c7cf21d49000307c60d2b787f4f4eb95577c0e73ec43b6d529dcca142a4a1bdeab525dff24c34400fa8e13154dc4173963e74e81ae8b1f486d17638f40a1

Download Submit
\Windows\SysWOW64\Kikpgk32.exe

Filesize
93KB

MD5
e16c55f69af8ace31960cabffdb90717

SHA1
fcea4c71cde77f0ae18b00546894f8bd40c0d3bb

SHA256
785f655357c8a0c61643a6418a623bf6a2d4dfcebb07a19531a42924799375d5

SHA512
ad5c339c1a771c390a4ec62e94d1de538e7e51084ed3256f07ed12d7e3f66dd68c82f05d956426a7fc131d9b55dba4adb00f24cca500f696868ee6817b00fa07

Download Submit
\Windows\SysWOW64\Lcnhcdkp.exe

Filesize
93KB

MD5
ac9c76c5f0db16abedf3d48840a20c2f

SHA1
d0b644968352e640c08850c9c062ccda23d7b336

SHA256
90ec3f450e61403acf3b2f184d4abb5b3eac1eff2a2e13cf9d9f4e5e9886acb1

SHA512
8a74d44e17ac761f6e7fb7cb6a7267ed04e4b9a935b25c34537ad1a03fdb8d15949d791f1e3564331607026133ec4f0ba1a90e7cd766f9f8150f8d18afb1bc9c

Download Submit
\Windows\SysWOW64\Lddagi32.exe

Filesize
93KB

MD5
693268e112c35c9f3956de5d192ccfe9

SHA1
97c5b400e6028b0f3d972cf411287bc1775475da

SHA256
002a18bac607994683d55482d736a0febee287399d7198cb5eb5954b7e13ee23

SHA512
320d473f5a145168deab41d1b622edcd2e08d1a483e8763f8e7a31e1fefb1b67fe612d4b8063509d2f4c6d85606e4b43db9e4d0c13ec9ef8410e28e3401f8cf2

Download Submit
\Windows\SysWOW64\Lgejidgn.exe

Filesize
93KB

MD5
4727e759e5593161d3fd386f1ddbd2c0

SHA1
39f71bd3f9f5bc9f0e171ac61b878ab547d64595

SHA256
2434d843b0c20d14c9d70eaaae44c335db434964c70554a282fd9c802aedd208

SHA512
a605b7315b6059fd265f1bf87b4bee5bf9c1ebb5fffdceed76da0af2477557e02a950b86ebe8f4fb9522cb5d59b0f4baf1cbff9e4a039e5d7150d5e9707df2ca

Download Submit
\Windows\SysWOW64\Lghgocek.exe

Filesize
93KB

MD5
3a0ddc7da937ca369e764233a6aa9a9a

SHA1
af7425555256e0c7315c9870d4c774e01db38ee5

SHA256
d0bf36dda6c64d09af399d1b8bcc9d9e0e321d07a5cb2f1dad8534e4d55a147f

SHA512
f6311a68997d435dbd79eecc15fb26a89958b6f9ddbf2906f21dc15fdc61920ce3f819900549aacb7f3322a6af027ae22ad73bf3e7c4eeb3ed8ca3fd19008951

Download Submit
\Windows\SysWOW64\Mbmgkp32.exe

Filesize
93KB

MD5
7db127bbdf669ae45fb448849c2c50d7

SHA1
1bf728988145c7014ac226e4d63eea260664440b

SHA256
5b816659ae7aae14eb976ece361006972e14d295b701d0c049b2c89c25a5e755

SHA512
9c3f0c977960969e2795edf817d954fb2ef55d8eeb25d8a9df7dad0148ed646d68ad25d7607ff15212d474a4c1f75880632b385fb0fc6fce0cc392fd954568a1

Download Submit
\Windows\SysWOW64\Mchjjc32.exe

Filesize
93KB

MD5
6736234b64d2684146be2d26994d9ec3

SHA1
46325390c000f5a1bb3574a019f17b3384d5fb49

SHA256
5845002510e805a9225d314c995b4997806728f3fa6a177cc05a93a45880abdb

SHA512
61eca5044f4a330f084f3bf1f771e02440db3108d9e3dd575ac9dd032cc2ad9874052a5937a77c8830a551a910b302efc7d4f7ad5fda6141826ef4f1a43d163d

Download Submit
\Windows\SysWOW64\Mgjpcf32.exe

Filesize
93KB

MD5
4b1d7b2d4453d91cc8ad529969a9c72f

SHA1
2c16575b7ee660833bb161e83773d34968152843

SHA256
35065f587a983e011e43b36a7bd94d213363bb247bb1a21149be1eeba1a59e76

SHA512
8422c8381cfbcd65c8634a5f894a798eab9d2a9d14fda6d02959f7f031305e26e949706618bdf4aa17f7d7586b1f098ee146e5a28b0d6f3336b636f59520f7e4

Download Submit
\Windows\SysWOW64\Mqgahh32.exe

Filesize
93KB

MD5
90e82741ddd99fd56a5461387d6a99c8

SHA1
ec91a328cfa45d95185ee4b96636cc2aa6672a9d

SHA256
84420830669f5dbe3bcb707ad1b429b4681582d0bcede0011aeeac571c4e6ed4

SHA512
de858e4175c1e5a50481920f594258f2d2453ddd3f60ffac71427e2f69c217f1bee51c35ca133ea101088cb81e995f2379cb3369bb1632df81698fd50d7570a4

Download Submit
\Windows\SysWOW64\Nffcebdd.exe

Filesize
93KB

MD5
8e4e17659f8b67340a32602a6d979573

SHA1
36e256b13e1e22e55acfa519316f756fc833602d

SHA256
69a4dc17ce144973322807f9d3133c18cc9fc11f4d4df768dc0147d8be86ee8e

SHA512
d20ca82066df5b2908e3e549352e556b15f856fe838916b0fa81d704d1fb6fbf4b9ecf22d8222f764df9e87bd5ff69ad0338efbca999ba4c1677af9d53a697b3

Download Submit
\Windows\SysWOW64\Nglmifca.exe

Filesize
93KB

MD5
6126340bd325b0341402d45b3ec04427

SHA1
be540b00ba4ee7624256547bdb77ec054eea207d

SHA256
e241517fedd2739bad27b7f18f9dae50a2897c4844e42eca8b59da9b61b615e0

SHA512
7ffc4252d8d79e23ed6faf32b41b994e26c59cbeb880c7f51a255d57b1c7bf9a6141be371e00e1340fcc1dbec2d80b024908fd4b436e053de9fdb2a463bd6f93

Download Submit
\Windows\SysWOW64\Ngoinfao.exe

Filesize
93KB

MD5
4949c5e464e2439166c7e23b6ee5f9c5

SHA1
9719f6fbb53cf49df97dce531972133f2d5c1d51

SHA256
8d16deb14882a6bcf7f67cfe22672dbcc2497f0244d3b65c250e29321b340cb5

SHA512
53fc4f8ef073beaef55585bb7f20196cf91f4d13a21d9ad368b282b20000a960947b0810697192432ed1b99367bc4b8c190daaeb9f335d6b90d28652e80e309a

Download Submit
\Windows\SysWOW64\Njobpa32.exe

Filesize
93KB

MD5
88d271becffb0fab2d1fa3ce72568845

SHA1
9df506975937d33bc8324ef73ff7482451967b15

SHA256
3be7a92d17d7dfea6b31ad53305a236f1b2dcd1687dff381bf2cc1616de0ad08

SHA512
f4574f1cdbc33799ad9778be5ac41d8cc61f7f53fb2bccb5a922b7017d86599c5297b69fae72a2eae969d06fee7d5316c22e81eba3a8fdc94611e08407b59f92

Download Submit
\Windows\SysWOW64\Ojdlkp32.exe

Filesize
93KB

MD5
131abf43c0110120aa722c81037069af

SHA1
b512e3e1e574faaf8090cffe39b0cf8710e36e0b

SHA256
b8c37b41acc314ba2e3b02c6bee0e8672f29f1dc25bfe06e1ee22cd7da231834

SHA512
c454f55eb2f0caf97ce0649fedc2d4d524bcad55a0908afc4fd4f74694440d7e78b0ba9974accfeae095edcd4dcae8eadf2016a318d8e32ceae51234e6b0e9a7

Download Submit
memory/848-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-222-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1048-75-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1048-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-182-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1108-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-209-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/1652-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-156-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2004-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-234-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2064-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-104-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2288-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-22-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2380-12-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2380-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-13-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2380-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-49-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2584-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-95-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2608-94-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2908-196-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2908-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-39-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2920-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads