berbew | d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
Size

276KB
MD5

54a78c8457888e0468586176d2fe4f4e
SHA1

982bb9777ad74cdae88e3c09fe7a434b98c02e43
SHA256

d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57
SHA512

074c32dd06f9c360cbd18949c7214886b4c2e7bfd45c8686f4a0ea5cb1ce34a44a12400f61752fb17f7a10f760dd104278fabe45f9e05a5a2e4189c106c70e3f
SSDEEP

3072:rahgUKC0dyhlvdX3EheS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVDrM8d7wM8:e2RhdZMGXF5ahdt3rM8d7TtLa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjgfomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfbinf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdlpkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdlpkb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liboodmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mganfp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbfobllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miiaogio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljjqbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljjqbfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfbinf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmcdkbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odoakckp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmlnjcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liboodmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmcdkbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meeopdhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlekja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odoakckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ophoecoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmlnjcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmekpmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbfobllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlocka32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogddhmdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkgig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmekpmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mganfp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meeopdhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlocka32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjgfomh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlekja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbkgig32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 20 IoCs

pid	Process
2720	Jdjgfomh.exe
2644	Jlekja32.exe
2280	Jfbinf32.exe
2992	Kbkgig32.exe
2944	Kdlpkb32.exe
2288	Lmlnjcgg.exe
2756	Liboodmk.exe
1788	Lmcdkbao.exe
1744	Lgmekpmn.exe
584	Mganfp32.exe
3044	Meeopdhb.exe
1996	Miiaogio.exe
1132	Nljjqbfp.exe
2132	Nbfobllj.exe
1700	Nlocka32.exe
2740	Odoakckp.exe
1048	Oacbdg32.exe
1972	Ophoecoa.exe
1108	Ogddhmdl.exe
2568	Ockdmn32.exe

Loads dropped DLL 44 IoCs

pid	Process
2736	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
2736	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
2720	Jdjgfomh.exe
2720	Jdjgfomh.exe
2644	Jlekja32.exe
2644	Jlekja32.exe
2280	Jfbinf32.exe
2280	Jfbinf32.exe
2992	Kbkgig32.exe
2992	Kbkgig32.exe
2944	Kdlpkb32.exe
2944	Kdlpkb32.exe
2288	Lmlnjcgg.exe
2288	Lmlnjcgg.exe
2756	Liboodmk.exe
2756	Liboodmk.exe
1788	Lmcdkbao.exe
1788	Lmcdkbao.exe
1744	Lgmekpmn.exe
1744	Lgmekpmn.exe
584	Mganfp32.exe
584	Mganfp32.exe
3044	Meeopdhb.exe
3044	Meeopdhb.exe
1996	Miiaogio.exe
1996	Miiaogio.exe
1132	Nljjqbfp.exe
1132	Nljjqbfp.exe
2132	Nbfobllj.exe
2132	Nbfobllj.exe
1700	Nlocka32.exe
1700	Nlocka32.exe
2740	Odoakckp.exe
2740	Odoakckp.exe
1048	Oacbdg32.exe
1048	Oacbdg32.exe
1972	Ophoecoa.exe
1972	Ophoecoa.exe
1108	Ogddhmdl.exe
1108	Ogddhmdl.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oacbdg32.exe	Odoakckp.exe
File opened for modification	C:\Windows\SysWOW64\Kdlpkb32.exe	Kbkgig32.exe
File opened for modification	C:\Windows\SysWOW64\Lmcdkbao.exe	Liboodmk.exe
File created	C:\Windows\SysWOW64\Ebeffboh.dll	Lgmekpmn.exe
File created	C:\Windows\SysWOW64\Miiaogio.exe	Meeopdhb.exe
File created	C:\Windows\SysWOW64\Ncnhfi32.dll	Nljjqbfp.exe
File opened for modification	C:\Windows\SysWOW64\Odoakckp.exe	Nlocka32.exe
File created	C:\Windows\SysWOW64\Lgfamj32.dll	Nlocka32.exe
File created	C:\Windows\SysWOW64\Jfbinf32.exe	Jlekja32.exe
File opened for modification	C:\Windows\SysWOW64\Nlocka32.exe	Nbfobllj.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmn32.exe	Ogddhmdl.exe
File created	C:\Windows\SysWOW64\Khhaomjd.dll	Ogddhmdl.exe
File created	C:\Windows\SysWOW64\Gniiomgc.dll	Jdjgfomh.exe
File opened for modification	C:\Windows\SysWOW64\Liboodmk.exe	Lmlnjcgg.exe
File opened for modification	C:\Windows\SysWOW64\Nbfobllj.exe	Nljjqbfp.exe
File opened for modification	C:\Windows\SysWOW64\Ogddhmdl.exe	Ophoecoa.exe
File created	C:\Windows\SysWOW64\Lmlnjcgg.exe	Kdlpkb32.exe
File opened for modification	C:\Windows\SysWOW64\Lmlnjcgg.exe	Kdlpkb32.exe
File created	C:\Windows\SysWOW64\Liboodmk.exe	Lmlnjcgg.exe
File created	C:\Windows\SysWOW64\Lmcdkbao.exe	Liboodmk.exe
File opened for modification	C:\Windows\SysWOW64\Mganfp32.exe	Lgmekpmn.exe
File created	C:\Windows\SysWOW64\Jngakhdp.dll	Odoakckp.exe
File created	C:\Windows\SysWOW64\Ebakdbbk.dll	Ophoecoa.exe
File created	C:\Windows\SysWOW64\Jlekja32.exe	Jdjgfomh.exe
File created	C:\Windows\SysWOW64\Kdlpkb32.exe	Kbkgig32.exe
File created	C:\Windows\SysWOW64\Hjidml32.dll	Liboodmk.exe
File created	C:\Windows\SysWOW64\Glfiinip.dll	Mganfp32.exe
File created	C:\Windows\SysWOW64\Nljjqbfp.exe	Miiaogio.exe
File opened for modification	C:\Windows\SysWOW64\Nljjqbfp.exe	Miiaogio.exe
File created	C:\Windows\SysWOW64\Jdjgfomh.exe	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
File opened for modification	C:\Windows\SysWOW64\Jfbinf32.exe	Jlekja32.exe
File created	C:\Windows\SysWOW64\Kbkgig32.exe	Jfbinf32.exe
File created	C:\Windows\SysWOW64\Cblmfa32.dll	Kdlpkb32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmekpmn.exe	Lmcdkbao.exe
File created	C:\Windows\SysWOW64\Nbfobllj.exe	Nljjqbfp.exe
File created	C:\Windows\SysWOW64\Aqghocek.dll	Kbkgig32.exe
File created	C:\Windows\SysWOW64\Ophoecoa.exe	Oacbdg32.exe
File created	C:\Windows\SysWOW64\Ockdmn32.exe	Ogddhmdl.exe
File created	C:\Windows\SysWOW64\Oacbdg32.exe	Odoakckp.exe
File created	C:\Windows\SysWOW64\Dmqddn32.dll	Lmlnjcgg.exe
File created	C:\Windows\SysWOW64\Lgmekpmn.exe	Lmcdkbao.exe
File opened for modification	C:\Windows\SysWOW64\Meeopdhb.exe	Mganfp32.exe
File created	C:\Windows\SysWOW64\Hipdajoc.dll	Miiaogio.exe
File created	C:\Windows\SysWOW64\Dkpgohdb.dll	Jlekja32.exe
File created	C:\Windows\SysWOW64\Nfgbdo32.dll	Lmcdkbao.exe
File created	C:\Windows\SysWOW64\Odoakckp.exe	Nlocka32.exe
File created	C:\Windows\SysWOW64\Ogddhmdl.exe	Ophoecoa.exe
File created	C:\Windows\SysWOW64\Degjpgmg.dll	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
File opened for modification	C:\Windows\SysWOW64\Miiaogio.exe	Meeopdhb.exe
File created	C:\Windows\SysWOW64\Djfoghqi.dll	Meeopdhb.exe
File created	C:\Windows\SysWOW64\Ejegcc32.dll	Oacbdg32.exe
File opened for modification	C:\Windows\SysWOW64\Kbkgig32.exe	Jfbinf32.exe
File created	C:\Windows\SysWOW64\Mganfp32.exe	Lgmekpmn.exe
File created	C:\Windows\SysWOW64\Nlocka32.exe	Nbfobllj.exe
File created	C:\Windows\SysWOW64\Mbgomd32.dll	Nbfobllj.exe
File opened for modification	C:\Windows\SysWOW64\Ophoecoa.exe	Oacbdg32.exe
File opened for modification	C:\Windows\SysWOW64\Jlekja32.exe	Jdjgfomh.exe
File created	C:\Windows\SysWOW64\Lloimaiq.dll	Jfbinf32.exe
File created	C:\Windows\SysWOW64\Meeopdhb.exe	Mganfp32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjgfomh.exe	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1052	2568	WerFault.exe	49

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjgfomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbkgig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdlpkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meeopdhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oacbdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlekja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmlnjcgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlocka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfbinf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liboodmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmcdkbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmekpmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mganfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ophoecoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogddhmdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miiaogio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljjqbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbfobllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odoakckp.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpgohdb.dll"	Jlekja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloimaiq.dll"	Jfbinf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjidml32.dll"	Liboodmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlocka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjgfomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfoghqi.dll"	Meeopdhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gniiomgc.dll"	Jdjgfomh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdlpkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebeffboh.dll"	Lgmekpmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlekja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqddn32.dll"	Lmlnjcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnhfi32.dll"	Nljjqbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liboodmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liboodmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfgbdo32.dll"	Lmcdkbao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlocka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngakhdp.dll"	Odoakckp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblmfa32.dll"	Kdlpkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgmekpmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mganfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odoakckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmlnjcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfiinip.dll"	Mganfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbfobllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdjgfomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejegcc32.dll"	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdlpkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Meeopdhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odoakckp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlekja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbkgig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbfobllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ophoecoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll"	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfbinf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipdajoc.dll"	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nljjqbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfbinf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmcdkbao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miiaogio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqghocek.dll"	Kbkgig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmcdkbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miiaogio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljjqbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbkgig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgomd32.dll"	Nbfobllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mganfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfamj32.dll"	Nlocka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebakdbbk.dll"	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmlnjcgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgmekpmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meeopdhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ophoecoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Degjpgmg.dll"	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2720	2736	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe	30
PID 2736 wrote to memory of 2720	2736	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe	30
PID 2736 wrote to memory of 2720	2736	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe	30
PID 2736 wrote to memory of 2720	2736	d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe	30
PID 2720 wrote to memory of 2644	2720	Jdjgfomh.exe	31
PID 2720 wrote to memory of 2644	2720	Jdjgfomh.exe	31
PID 2720 wrote to memory of 2644	2720	Jdjgfomh.exe	31
PID 2720 wrote to memory of 2644	2720	Jdjgfomh.exe	31
PID 2644 wrote to memory of 2280	2644	Jlekja32.exe	32
PID 2644 wrote to memory of 2280	2644	Jlekja32.exe	32
PID 2644 wrote to memory of 2280	2644	Jlekja32.exe	32
PID 2644 wrote to memory of 2280	2644	Jlekja32.exe	32
PID 2280 wrote to memory of 2992	2280	Jfbinf32.exe	33
PID 2280 wrote to memory of 2992	2280	Jfbinf32.exe	33
PID 2280 wrote to memory of 2992	2280	Jfbinf32.exe	33
PID 2280 wrote to memory of 2992	2280	Jfbinf32.exe	33
PID 2992 wrote to memory of 2944	2992	Kbkgig32.exe	34
PID 2992 wrote to memory of 2944	2992	Kbkgig32.exe	34
PID 2992 wrote to memory of 2944	2992	Kbkgig32.exe	34
PID 2992 wrote to memory of 2944	2992	Kbkgig32.exe	34
PID 2944 wrote to memory of 2288	2944	Kdlpkb32.exe	35
PID 2944 wrote to memory of 2288	2944	Kdlpkb32.exe	35
PID 2944 wrote to memory of 2288	2944	Kdlpkb32.exe	35
PID 2944 wrote to memory of 2288	2944	Kdlpkb32.exe	35
PID 2288 wrote to memory of 2756	2288	Lmlnjcgg.exe	36
PID 2288 wrote to memory of 2756	2288	Lmlnjcgg.exe	36
PID 2288 wrote to memory of 2756	2288	Lmlnjcgg.exe	36
PID 2288 wrote to memory of 2756	2288	Lmlnjcgg.exe	36
PID 2756 wrote to memory of 1788	2756	Liboodmk.exe	37
PID 2756 wrote to memory of 1788	2756	Liboodmk.exe	37
PID 2756 wrote to memory of 1788	2756	Liboodmk.exe	37
PID 2756 wrote to memory of 1788	2756	Liboodmk.exe	37
PID 1788 wrote to memory of 1744	1788	Lmcdkbao.exe	38
PID 1788 wrote to memory of 1744	1788	Lmcdkbao.exe	38
PID 1788 wrote to memory of 1744	1788	Lmcdkbao.exe	38
PID 1788 wrote to memory of 1744	1788	Lmcdkbao.exe	38
PID 1744 wrote to memory of 584	1744	Lgmekpmn.exe	39
PID 1744 wrote to memory of 584	1744	Lgmekpmn.exe	39
PID 1744 wrote to memory of 584	1744	Lgmekpmn.exe	39
PID 1744 wrote to memory of 584	1744	Lgmekpmn.exe	39
PID 584 wrote to memory of 3044	584	Mganfp32.exe	40
PID 584 wrote to memory of 3044	584	Mganfp32.exe	40
PID 584 wrote to memory of 3044	584	Mganfp32.exe	40
PID 584 wrote to memory of 3044	584	Mganfp32.exe	40
PID 3044 wrote to memory of 1996	3044	Meeopdhb.exe	41
PID 3044 wrote to memory of 1996	3044	Meeopdhb.exe	41
PID 3044 wrote to memory of 1996	3044	Meeopdhb.exe	41
PID 3044 wrote to memory of 1996	3044	Meeopdhb.exe	41
PID 1996 wrote to memory of 1132	1996	Miiaogio.exe	42
PID 1996 wrote to memory of 1132	1996	Miiaogio.exe	42
PID 1996 wrote to memory of 1132	1996	Miiaogio.exe	42
PID 1996 wrote to memory of 1132	1996	Miiaogio.exe	42
PID 1132 wrote to memory of 2132	1132	Nljjqbfp.exe	43
PID 1132 wrote to memory of 2132	1132	Nljjqbfp.exe	43
PID 1132 wrote to memory of 2132	1132	Nljjqbfp.exe	43
PID 1132 wrote to memory of 2132	1132	Nljjqbfp.exe	43
PID 2132 wrote to memory of 1700	2132	Nbfobllj.exe	44
PID 2132 wrote to memory of 1700	2132	Nbfobllj.exe	44
PID 2132 wrote to memory of 1700	2132	Nbfobllj.exe	44
PID 2132 wrote to memory of 1700	2132	Nbfobllj.exe	44
PID 1700 wrote to memory of 2740	1700	Nlocka32.exe	45
PID 1700 wrote to memory of 2740	1700	Nlocka32.exe	45
PID 1700 wrote to memory of 2740	1700	Nlocka32.exe	45
PID 1700 wrote to memory of 2740	1700	Nlocka32.exe	45

C:\Users\Admin\AppData\Local\Temp\d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe
"C:\Users\Admin\AppData\Local\Temp\d790c6e96906a2ea29e41ba1df34575daece7794174cb27d04547633a4567a57.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\Jdjgfomh.exe
  C:\Windows\system32\Jdjgfomh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Jlekja32.exe
    C:\Windows\system32\Jlekja32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\Jfbinf32.exe
      C:\Windows\system32\Jfbinf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\SysWOW64\Kbkgig32.exe
        
        C:\Windows\system32\Kbkgig32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\SysWOW64\Kdlpkb32.exe
        
        C:\Windows\system32\Kdlpkb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Lmlnjcgg.exe
        
        C:\Windows\system32\Lmlnjcgg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Liboodmk.exe
        
        C:\Windows\system32\Liboodmk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Lmcdkbao.exe
        
        C:\Windows\system32\Lmcdkbao.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Lgmekpmn.exe
        
        C:\Windows\system32\Lgmekpmn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Mganfp32.exe
        
        C:\Windows\system32\Mganfp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Meeopdhb.exe
        
        C:\Windows\system32\Meeopdhb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Miiaogio.exe
        
        C:\Windows\system32\Miiaogio.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Nljjqbfp.exe
        
        C:\Windows\system32\Nljjqbfp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Nbfobllj.exe
        
        C:\Windows\system32\Nbfobllj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Nlocka32.exe
        
        C:\Windows\system32\Nlocka32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Odoakckp.exe
        
        C:\Windows\system32\Odoakckp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Oacbdg32.exe
        
        C:\Windows\system32\Oacbdg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Ophoecoa.exe
        
        C:\Windows\system32\Ophoecoa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ogddhmdl.exe
        
        C:\Windows\system32\Ogddhmdl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Ockdmn32.exe
        
        C:\Windows\system32\Ockdmn32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqghocek.dll

Filesize
7KB

MD5
9b6d8f7544a49ffd88b2478d83a738ee

SHA1
0cb55c459f54c21db3a545b792698ec97efacac8

SHA256
8046eacdf5d19da7914546a6ab30af6867484e3dfde84484f58db06989129e2b

SHA512
0fed31fde277d041d7dfd8910975a43e56c36c091239b0d6f7bdd590618524c4f9d43397a98a872f295d35c5d8c6f47eeb6ce9861be6fad84916ddabf56882dd

Download Submit
C:\Windows\SysWOW64\Jlekja32.exe

Filesize
276KB

MD5
3238694d8bbbfae2c4330595df174dde

SHA1
666e58b40d7d8ab4badafabedad811c4c08451ea

SHA256
403752c4afee8b32071d2c1a2fcaf6628f01fcf387df410fb79350f99065f07b

SHA512
272461497b4f14a64bf6bf657f3b932802cef53f5337a839bea7070cd95349de5fad9fad574ce49b431443e672cdc7214effa23a6ea36cfc941320eee3fde160

Download Submit
C:\Windows\SysWOW64\Nbfobllj.exe

Filesize
276KB

MD5
c3eb9e52f5bed99a0e71a9d7cb824fd6

SHA1
c53ebd4deba0298e76048748b6daf81a1ae6951e

SHA256
7ce277d9e6b5e53f3b10da04de2bb904a6916613dd942b336ed9e518564c864c

SHA512
210edc5849396569b348e78755cf1145897327ed06a937579ac68091da842105e8ec3ea72678c7fa38783dfe0d88707661bc18d50f2728b6282a330c223a96e4

Download Submit
C:\Windows\SysWOW64\Oacbdg32.exe

Filesize
276KB

MD5
6288769aafaffb653aa5a5ab4a2b34d4

SHA1
cecb8f0705851dcbaa2a0f2ef2301e050e632b4a

SHA256
c6b650eafb43e57aa6fb6208a55e7f7a529b2dc10697939cfb0dc380ab0b612c

SHA512
eac59569c9c563b44c4841c70d44a4d917fb8a9168345b34d95a0767930e8c2e3dabed3591aad6542089598543507c693ad31e18b0423f80be2cf896276d8869

Download Submit
C:\Windows\SysWOW64\Ockdmn32.exe

Filesize
276KB

MD5
8c48fbc80a5e8e84820fc2599070a195

SHA1
6178c42fa653db6882aac224497b31e101a9f58c

SHA256
d8924a4eed23ef14e9b534c369a83cbc9843c557b53b858884c8b44f2d8d4e2d

SHA512
39583a643ba54fd26bbeb7fc6002d1135c16e3b36e1254afbc1612913b5777ee063a64d4dbea919c470fd952e12c1f2eeedee579728de11e48ea2c29abb65285

Download Submit
C:\Windows\SysWOW64\Ogddhmdl.exe

Filesize
276KB

MD5
410089850a59b81db37df63241e3fa9a

SHA1
cf512fa1552bd1727a8e5d99ff241c94dc309268

SHA256
23ac2075ee6de108dd36b139ca4526443d128ea766776a3ab670f8d4a0843430

SHA512
0d5118d61f90f04e1d04c713b336385356af628a3d5821efa8988eabb5333c2e78a785ed42d98a8f2d78568258686ae6d18e9ec0f1fd2f2417be078bba2f3a49

Download Submit
C:\Windows\SysWOW64\Ophoecoa.exe

Filesize
276KB

MD5
369f58cee65ccf5446455d64ebb52faf

SHA1
2a50c37ad305f17951200445de6d715cfc5ba278

SHA256
0ca2da132ea7361b7c324a7d7b87cf957faa3bcd38af3268fd3a413b477a20aa

SHA512
df2ff61e7bc743da6ac178f69d1359e53a8c5525148458d2b86092f0a6083143dce96ca0ec11d84b0749975eff1bcfff9d4760368423eb9715864cceee0259b5

Download Submit
\Windows\SysWOW64\Jdjgfomh.exe

Filesize
276KB

MD5
8647d1048bb0749e123034e9b80a064c

SHA1
45f285729f6ae31f19434c5481dc99aea6e1724d

SHA256
1c1a2b1c5a2ae857f51b48d6ce040499fa945c2396294c8c058dbb25c9d377dc

SHA512
78ecf701539200b514a13708e10a468bf806bde5716931ff89166994c7a3507667d8f69781cdc9267d85371c1806323ed46dd48cc3a4b2b3fc7af40f1547fe8e

Download Submit
\Windows\SysWOW64\Jfbinf32.exe

Filesize
276KB

MD5
2e96fad6da2ad1b26031d2e31b91f002

SHA1
168c45b574e117e4ea847415670e0a88b555a694

SHA256
e3e923fa559eb4f8b8c3356329e085cd407f80ef07f7aeb0c5c6d14b2cb831ec

SHA512
eb495a62f20bd641ce8935ee0cfd440ba2c6d3c0303d44cb7c344137251726580aa8ae15ba930a4d4b33de30069229423406ba02563f5df73a86db4643c62655

Download Submit
\Windows\SysWOW64\Kbkgig32.exe

Filesize
276KB

MD5
c314089c184c721c3f7c7dd8deed677d

SHA1
e346a6a12a97bd573f6fd5bcf714c9eddfe40640

SHA256
307aae742c7239bf21fc72ea873b562871823ed691386c51d693fa8159cac701

SHA512
9503ce9a31ece62478335166a348b61daaced3399df1db053e3d43c0ccc93b6793c8a3722ef1ad28c69ba58a1d65fe054aef4fdd053e42f6df77e4a5aa8c2f59

Download Submit
\Windows\SysWOW64\Kdlpkb32.exe

Filesize
276KB

MD5
fce1655a619c83135c9587409dfb6b9f

SHA1
77fb5ba383e47a39555db92eb55e5f6a8d35b1d4

SHA256
00977534345ebe66df03db25952be92db0f2480aa26963cc8f52b8039c3fc5ca

SHA512
bd33dcead43391b7840cb19aef9f8b785a79b8b624b584f44a84d8c6bdccf507fc8e30f767b2f041c41feeb0e60b941c4b252eba6ec7b8324f17f39aacedf0be

Download Submit
\Windows\SysWOW64\Lgmekpmn.exe

Filesize
276KB

MD5
ed9103be5a17b1aa4752402c27ce603f

SHA1
545cb2870843b02e250c882741d8eb033af47965

SHA256
4c019b3ff6654bc39e7e76aeb6bbc25fa387275b47260d8fef5c85073397b585

SHA512
2e3f9744087096a7da0071b13f0f3b982cdab83a73648f234c6319aeff8d7b27006202b40e1b8084f1b098bf504e4b66b14869e6c600b055d6fc3faef6a6529e

Download Submit
\Windows\SysWOW64\Liboodmk.exe

Filesize
276KB

MD5
e3f40e9f183b355857c900c19a8919ef

SHA1
8c2af29bd3148765416e8d07b0dfa9b2f9e53daf

SHA256
4da0bfd7a395609500c290daedcad7c645fc97b8834af333727b2829b5bd6ec9

SHA512
1067e5c5df41ca93fbcffc6159e4ab80d90e512902ec327a2b029bf09ee7b9a9a48051a759c698fbf698d6abf1c2079cab8daaca01b2346064a907a4cf3ff136

Download Submit
\Windows\SysWOW64\Lmcdkbao.exe

Filesize
276KB

MD5
a76acbea6c74a4bdb4a0badbf85d7b84

SHA1
49f9cf13bcdbd1dc8ea3058c1554ae2379a44ee4

SHA256
b802503597acee64bdea91c3247489038400f920c2eeb3cb57280087ef87f642

SHA512
32b680e509e13d3834e6434bf1d5a90980c8ea99ef6f8a413de48bc3fcfe9875850dcdfd88e0d7be059017592f2c17555495c7faf3d6110fccec914ce1ca7759

Download Submit
\Windows\SysWOW64\Lmlnjcgg.exe

Filesize
276KB

MD5
53857e8f756c67b989a63d37697c2ce3

SHA1
23ad098fe5deee6dc63ffccfeb1a7f4ddd71d0cb

SHA256
34e86fabf43ec6e46062570b2108ae98d99c87c1abe260833a802c2f1235056b

SHA512
9384ee70857c2b1352157a901491d8c5a39c32fa39ca04046b7b830bfd7f921132ec8d7e727ec08cce3582210335c6dfc674212af036eeadda1907412cf20aa4

Download Submit
\Windows\SysWOW64\Meeopdhb.exe

Filesize
276KB

MD5
8915af1df671f14310566ff7650e2157

SHA1
d33dfb74e966850274781bf08ea131e047efc5b5

SHA256
9d18d7b42b838d50c2ccdd30f4528edfe27f77f19e16412ef6d6319686cc9016

SHA512
f16e312886ab2b95bb4840061506b650a1b94befdb9dd7959f71a5c6dc55e8c057ccd35c111356085fc36e917b7b226ff5f41071a8f58bd25caf398441e47e97

Download Submit
\Windows\SysWOW64\Mganfp32.exe

Filesize
276KB

MD5
35bd31e2fda226348f4afc3d0ab39242

SHA1
bc8069d39e3bb4a350fe1c597c0328dd3b3986ad

SHA256
c6dd13ef837d6e1e48cb244cfcafb3299417eae07bfa3ab836c9ff66b573ecab

SHA512
3742b4a6cf15e872e1d0a01035245c65106c4b0ef69d2fd98a663b74facc8d09975e4ebc35107cac76e2d7a40eb65d4f42cccfc05a427b343427af61c2a416f2

Download Submit
\Windows\SysWOW64\Miiaogio.exe

Filesize
276KB

MD5
20cb687c5153f65f60b295475a75cab2

SHA1
8218e5a006cfc66e87ee1c93628bb65713c54536

SHA256
0107217aca64b3d0cd404c5e8a8629dabcb94f41038fa1203db338d282a180e9

SHA512
373711426b635bd581d91213e513de6feb52d9bcae234f0b44a5a7e744e8b0defa7b0100f00e1b9f78d68f5dc884facbb50d3f4b8d3e38154e35e7f96ac479a8

Download Submit
\Windows\SysWOW64\Nljjqbfp.exe

Filesize
276KB

MD5
e817ecd7dc502961d07d0016df47f167

SHA1
b2bbdc0028b59ff29d26cdcbe16d65e123ac03a5

SHA256
ebbc83755b2b5087c2b35c9013dda1485032e75305d8526135b4c9f9cee081f0

SHA512
7f1c50f03fc3067fa0951921fb0ceff4f23875cbc29b39681a7255d274b466a185bf95aa699eb58615c41c876b68c62d0ee10847792571e8cb097a3ff4ae10b9

Download Submit
\Windows\SysWOW64\Nlocka32.exe

Filesize
276KB

MD5
787338780816082734adcb25521c2405

SHA1
39bd494cb4c0917ebbdcfc8e55dbe4efe152a890

SHA256
fc8112f30180397e25df9d0888eabed1b59f91f58972e66e48be77f373e804fb

SHA512
3879877a1d9f34d03623366757e3c403fba06ded35822f614af97b535d1f942aafcf24e258604135b93c9160156a5816f28ec96b0f98bf2dc0a419d410a83e1f

Download Submit
\Windows\SysWOW64\Odoakckp.exe

Filesize
276KB

MD5
5f8758dc57d9d9bdf4ce13a0fafc33aa

SHA1
3546a1262a820ec1c465582529ff4b471cf6e4a8

SHA256
67f3e2505cdda8b240d096e2dc919875c128dcaabc97a2f4aced40a0707ad0fe

SHA512
12af825c3f25e64a932f6c1fc5a9271a9bd7fa0f84b214d64060e2ee98fc0925aee47cc6198ebb51bdf49a9149959ff748773d82f1dc0481b306f3c8df76cb0c

Download Submit
memory/584-151-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/584-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/584-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-241-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1048-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-258-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/1132-188-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1132-194-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1132-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-216-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1700-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-137-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1744-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-118-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1788-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-251-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1972-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-179-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2132-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-49-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2280-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-94-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2568-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-40-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2644-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-12-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2736-14-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2736-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-231-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2756-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-104-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2944-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-81-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2992-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-67-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2992-66-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/3044-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-160-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads