94938db1cc65610924800cfcca7733103df68cb1a5ca4cbd28417531e318770b

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 15:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a08e1623ab5e54bb359f6efa64079539.exe
Size

386KB
MD5

a08e1623ab5e54bb359f6efa64079539
SHA1

c0b4fb80a01991d70adab059d41e019902db217f
SHA256

94938db1cc65610924800cfcca7733103df68cb1a5ca4cbd28417531e318770b
SHA512

9f807b29787650dedef3e1e8b1c8926d848b9029835774de9860757b285f8a97e18f932375ead3af1efdbc76cb29807204f834ff00a58011bf375a91100ab152
SSDEEP

12288:GY8rCZYE6YYBHpd0uD319ZvSntnhp352SCdL:GY8rCyE6YYBHpd0uD319ZvSntnhp3525

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a08e1623ab5e54bb359f6efa64079539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a08e1623ab5e54bb359f6efa64079539.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngkogj32.exe

Malware Dropper & Backdoor - Berbew 51 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x0007000000012264-5.dat	family_berbew
behavioral1/files/0x00090000000142c0-28.dat	family_berbew
behavioral1/files/0x0007000000014483-41.dat	family_berbew
behavioral1/files/0x0008000000015471-67.dat	family_berbew
behavioral1/files/0x00060000000155f6-78.dat	family_berbew
behavioral1/files/0x0006000000015bf3-88.dat	family_berbew
behavioral1/files/0x0006000000015c13-98.dat	family_berbew
behavioral1/files/0x0006000000015c3c-120.dat	family_berbew
behavioral1/files/0x0006000000015c67-146.dat	family_berbew
behavioral1/files/0x0006000000015c67-141.dat	family_berbew
behavioral1/files/0x0006000000015c67-140.dat	family_berbew
behavioral1/files/0x0006000000015c67-138.dat	family_berbew
behavioral1/files/0x0006000000015c4c-133.dat	family_berbew
behavioral1/files/0x0006000000015c4c-132.dat	family_berbew
behavioral1/files/0x0006000000015c4c-128.dat	family_berbew
behavioral1/files/0x0006000000015c4c-127.dat	family_berbew
behavioral1/files/0x0006000000015c4c-125.dat	family_berbew
behavioral1/files/0x0006000000015c3c-119.dat	family_berbew
behavioral1/files/0x0006000000015c3c-115.dat	family_berbew
behavioral1/files/0x0006000000015c3c-114.dat	family_berbew
behavioral1/files/0x0006000000015c3c-112.dat	family_berbew
behavioral1/files/0x0006000000015c13-106.dat	family_berbew
behavioral1/files/0x0006000000015c13-105.dat	family_berbew
behavioral1/files/0x0006000000015c13-101.dat	family_berbew
behavioral1/files/0x0006000000015c13-100.dat	family_berbew
behavioral1/files/0x0006000000015bf3-85.dat	family_berbew
behavioral1/files/0x00060000000155f6-80.dat	family_berbew
behavioral1/files/0x00060000000155f6-77.dat	family_berbew
behavioral1/files/0x00060000000155f6-74.dat	family_berbew
behavioral1/files/0x00060000000155f6-72.dat	family_berbew
behavioral1/files/0x0008000000015471-66.dat	family_berbew
behavioral1/files/0x0008000000015471-63.dat	family_berbew
behavioral1/files/0x0008000000015471-62.dat	family_berbew
behavioral1/files/0x0008000000015471-59.dat	family_berbew
behavioral1/files/0x0009000000014601-54.dat	family_berbew
behavioral1/files/0x0009000000014601-52.dat	family_berbew
behavioral1/files/0x0009000000014601-49.dat	family_berbew
behavioral1/files/0x0009000000014601-48.dat	family_berbew
behavioral1/files/0x0009000000014601-46.dat	family_berbew
behavioral1/files/0x0007000000014483-39.dat	family_berbew
behavioral1/files/0x0007000000014483-35.dat	family_berbew
behavioral1/files/0x0007000000014483-36.dat	family_berbew
behavioral1/files/0x0007000000014483-33.dat	family_berbew
behavioral1/files/0x00090000000142c0-26.dat	family_berbew
behavioral1/files/0x00090000000142c0-23.dat	family_berbew
behavioral1/files/0x00090000000142c0-22.dat	family_berbew
behavioral1/files/0x00090000000142c0-20.dat	family_berbew
behavioral1/files/0x0007000000012264-14.dat	family_berbew
behavioral1/files/0x0007000000012264-12.dat	family_berbew
behavioral1/files/0x0007000000012264-9.dat	family_berbew
behavioral1/files/0x0007000000012264-8.dat	family_berbew

Executes dropped EXE 14 IoCs

pid	Process
1996	Mdacop32.exe
2532	Mkklljmg.exe
2596	Mmihhelk.exe
2600	Mdcpdp32.exe
2584	Mgalqkbk.exe
2480	Mmldme32.exe
2456	Nhaikn32.exe
2968	Nckjkl32.exe
268	Niebhf32.exe
872	Npojdpef.exe
2772	Ngibaj32.exe
1956	Nmbknddp.exe
1924	Ngkogj32.exe
1512	Nlhgoqhh.exe

Loads dropped DLL 32 IoCs

pid	Process
2008	a08e1623ab5e54bb359f6efa64079539.exe
2008	a08e1623ab5e54bb359f6efa64079539.exe
1996	Mdacop32.exe
1996	Mdacop32.exe
2532	Mkklljmg.exe
2532	Mkklljmg.exe
2596	Mmihhelk.exe
2596	Mmihhelk.exe
2600	Mdcpdp32.exe
2600	Mdcpdp32.exe
2584	Mgalqkbk.exe
2584	Mgalqkbk.exe
2480	Mmldme32.exe
2480	Mmldme32.exe
2456	Nhaikn32.exe
2456	Nhaikn32.exe
2968	Nckjkl32.exe
2968	Nckjkl32.exe
268	Niebhf32.exe
268	Niebhf32.exe
872	Npojdpef.exe
872	Npojdpef.exe
2772	Ngibaj32.exe
2772	Ngibaj32.exe
1956	Nmbknddp.exe
1956	Nmbknddp.exe
1924	Ngkogj32.exe
1924	Ngkogj32.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Mdcpdp32.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Mgalqkbk.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Eqnolc32.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Npojdpef.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	a08e1623ab5e54bb359f6efa64079539.exe
File created	C:\Windows\SysWOW64\Pdlbongd.dll	a08e1623ab5e54bb359f6efa64079539.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	a08e1623ab5e54bb359f6efa64079539.exe
File opened for modification	C:\Windows\SysWOW64\Mkklljmg.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Mmihhelk.exe	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Nhaikn32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Oaajloig.dll	Mdacop32.exe
File created	C:\Windows\SysWOW64\Nkeghkck.dll	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Nhaikn32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Diceon32.dll	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Dhffckeo.dll	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Mkklljmg.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Aeaceffc.dll	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Ngkogj32.exe	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Mmihhelk.exe	Mkklljmg.exe
File opened for modification	C:\Windows\SysWOW64\Mgalqkbk.exe	Mdcpdp32.exe

Program crash 1 IoCs

pid	pid_target	Process
852	1512	WerFault.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a08e1623ab5e54bb359f6efa64079539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a08e1623ab5e54bb359f6efa64079539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Npojdpef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npojdpef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a08e1623ab5e54bb359f6efa64079539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a08e1623ab5e54bb359f6efa64079539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a08e1623ab5e54bb359f6efa64079539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaajloig.dll"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	a08e1623ab5e54bb359f6efa64079539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1996	2008	a08e1623ab5e54bb359f6efa64079539.exe	30
PID 2008 wrote to memory of 1996	2008	a08e1623ab5e54bb359f6efa64079539.exe	30
PID 2008 wrote to memory of 1996	2008	a08e1623ab5e54bb359f6efa64079539.exe	30
PID 2008 wrote to memory of 1996	2008	a08e1623ab5e54bb359f6efa64079539.exe	30
PID 1996 wrote to memory of 2532	1996	Mdacop32.exe	29
PID 1996 wrote to memory of 2532	1996	Mdacop32.exe	29
PID 1996 wrote to memory of 2532	1996	Mdacop32.exe	29
PID 1996 wrote to memory of 2532	1996	Mdacop32.exe	29
PID 2532 wrote to memory of 2596	2532	Mkklljmg.exe	28
PID 2532 wrote to memory of 2596	2532	Mkklljmg.exe	28
PID 2532 wrote to memory of 2596	2532	Mkklljmg.exe	28
PID 2532 wrote to memory of 2596	2532	Mkklljmg.exe	28
PID 2596 wrote to memory of 2600	2596	Mmihhelk.exe	27
PID 2596 wrote to memory of 2600	2596	Mmihhelk.exe	27
PID 2596 wrote to memory of 2600	2596	Mmihhelk.exe	27
PID 2596 wrote to memory of 2600	2596	Mmihhelk.exe	27
PID 2600 wrote to memory of 2584	2600	Mdcpdp32.exe	16
PID 2600 wrote to memory of 2584	2600	Mdcpdp32.exe	16
PID 2600 wrote to memory of 2584	2600	Mdcpdp32.exe	16
PID 2600 wrote to memory of 2584	2600	Mdcpdp32.exe	16
PID 2584 wrote to memory of 2480	2584	Mgalqkbk.exe	26
PID 2584 wrote to memory of 2480	2584	Mgalqkbk.exe	26
PID 2584 wrote to memory of 2480	2584	Mgalqkbk.exe	26
PID 2584 wrote to memory of 2480	2584	Mgalqkbk.exe	26
PID 2480 wrote to memory of 2456	2480	Mmldme32.exe	25
PID 2480 wrote to memory of 2456	2480	Mmldme32.exe	25
PID 2480 wrote to memory of 2456	2480	Mmldme32.exe	25
PID 2480 wrote to memory of 2456	2480	Mmldme32.exe	25
PID 2456 wrote to memory of 2968	2456	Nhaikn32.exe	24
PID 2456 wrote to memory of 2968	2456	Nhaikn32.exe	24
PID 2456 wrote to memory of 2968	2456	Nhaikn32.exe	24
PID 2456 wrote to memory of 2968	2456	Nhaikn32.exe	24
PID 2968 wrote to memory of 268	2968	Nckjkl32.exe	17
PID 2968 wrote to memory of 268	2968	Nckjkl32.exe	17
PID 2968 wrote to memory of 268	2968	Nckjkl32.exe	17
PID 2968 wrote to memory of 268	2968	Nckjkl32.exe	17
PID 268 wrote to memory of 872	268	Niebhf32.exe	23
PID 268 wrote to memory of 872	268	Niebhf32.exe	23
PID 268 wrote to memory of 872	268	Niebhf32.exe	23
PID 268 wrote to memory of 872	268	Niebhf32.exe	23
PID 872 wrote to memory of 2772	872	Npojdpef.exe	22
PID 872 wrote to memory of 2772	872	Npojdpef.exe	22
PID 872 wrote to memory of 2772	872	Npojdpef.exe	22
PID 872 wrote to memory of 2772	872	Npojdpef.exe	22
PID 2772 wrote to memory of 1956	2772	Ngibaj32.exe	21
PID 2772 wrote to memory of 1956	2772	Ngibaj32.exe	21
PID 2772 wrote to memory of 1956	2772	Ngibaj32.exe	21
PID 2772 wrote to memory of 1956	2772	Ngibaj32.exe	21
PID 1956 wrote to memory of 1924	1956	Nmbknddp.exe	20
PID 1956 wrote to memory of 1924	1956	Nmbknddp.exe	20
PID 1956 wrote to memory of 1924	1956	Nmbknddp.exe	20
PID 1956 wrote to memory of 1924	1956	Nmbknddp.exe	20
PID 1924 wrote to memory of 1512	1924	Ngkogj32.exe	19
PID 1924 wrote to memory of 1512	1924	Ngkogj32.exe	19
PID 1924 wrote to memory of 1512	1924	Ngkogj32.exe	19
PID 1924 wrote to memory of 1512	1924	Ngkogj32.exe	19
PID 1512 wrote to memory of 852	1512	Nlhgoqhh.exe	18
PID 1512 wrote to memory of 852	1512	Nlhgoqhh.exe	18
PID 1512 wrote to memory of 852	1512	Nlhgoqhh.exe	18
PID 1512 wrote to memory of 852	1512	Nlhgoqhh.exe	18

C:\Windows\SysWOW64\Mgalqkbk.exe
C:\Windows\system32\Mgalqkbk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\Mmldme32.exe
  C:\Windows\system32\Mmldme32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2480

C:\Windows\SysWOW64\Niebhf32.exe
C:\Windows\system32\Niebhf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\SysWOW64\Npojdpef.exe
  C:\Windows\system32\Npojdpef.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 140
1⤵
- Loads dropped DLL
- Program crash
PID:852

C:\Windows\SysWOW64\Nlhgoqhh.exe
C:\Windows\system32\Nlhgoqhh.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\Ngkogj32.exe
C:\Windows\system32\Ngkogj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\Nmbknddp.exe
C:\Windows\system32\Nmbknddp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\Ngibaj32.exe
C:\Windows\system32\Ngibaj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\Nckjkl32.exe
C:\Windows\system32\Nckjkl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\Nhaikn32.exe
C:\Windows\system32\Nhaikn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\Mdcpdp32.exe
C:\Windows\system32\Mdcpdp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\Mmihhelk.exe
C:\Windows\system32\Mmihhelk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\Mkklljmg.exe
C:\Windows\system32\Mkklljmg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\Mdacop32.exe
C:\Windows\system32\Mdacop32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\a08e1623ab5e54bb359f6efa64079539.exe
"C:\Users\Admin\AppData\Local\Temp\a08e1623ab5e54bb359f6efa64079539.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhffckeo.dll

Filesize
7KB

MD5
1a6081b5bda60ec1fdafb9102456a4c4

SHA1
bc0df9222b68425332b4b032b2a1155e88797974

SHA256
15f1dc9acffa0cd7ca7f44396b712156c4b53ce66255d8125bfc011ea869a4bd

SHA512
73cc4371ce52ddb71570b7d0f6e98d8e8c7bb8fdb13c16cdf6ef2633b2466790b6033d870d9c0a7d24428b6989c5ae05d2e47251ea431d5fdd13eecc9611d686

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
75KB

MD5
7d1778008e3a46ea2afa7e29e5b68567

SHA1
41edcefb1f90eb8dc157e83d2a2a7490ad5bba9d

SHA256
b776de05675297351e7ee2d017fbbb69360393caf47edbe6ed265d0ead7515c7

SHA512
03ff2bf1077a6ad5ff5b234baccdb7ca5e5dd54d82aba46dc7bb1504bce809a538cb9543ccc0bc567c969abfc36ae309793a1da58488090914e13ae05dfcfb96

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
78KB

MD5
c5b524efa85c7f1891dbf75f9f8b3363

SHA1
325b7ca6faa617f2995fc4a461c97430e70ddea2

SHA256
fe9213b30051b2fc317e8b9dcfa8f76bf1ab54304ac41d13b406b0c14e410ab3

SHA512
6def400c7c17ba64ea804680effbdd30e1982e07a6009eed91852f741a127530b320c733aeec68a42d07c90a7f2d68e6d2219eff2b7430c58315f8fb79a8c878

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
45KB

MD5
fb273cf762e36384867f3749e9fe82ea

SHA1
c2756c4484fce5771286b43f436a0ac23a0e3edd

SHA256
cbcefc3ea25a2fd122c1858872f2c8d92dd7fd226028e58510d4bbcfc7179ba6

SHA512
3edf65c67e52eeedc6385728801504579fc1a69c037d6265305f5ca8d6407f3c0f22017871e6694b13eaec23c8ec765a1ad973a17b70523684fd0659277ab15a

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
9KB

MD5
0e1981a0178e211c7ec43a04f784b6db

SHA1
da01a4c9ced409d7bd5113a78f42b5905cf557f5

SHA256
7a6a53b7b5c9ae85c6352941d9bdba4e9718e107a3b9958c0a6f4ed10f685de4

SHA512
158688e41efef3e489002b11713bdb9117d4767cf771acf28c1c10f2cc9ebc84598426935bacded761b293594123c423d78cc497a2720a89da7911b53269c4e9

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
84KB

MD5
ef7e85ce6b333257f05ca3df88178552

SHA1
f6662d8689df2fb6441dac4cd04cef63edafe6d2

SHA256
164cbd4141a163b329adc44bb09bf401f8c5fd21e47dcd7d9a9853ec7828eb8c

SHA512
284b71cd5623936d680cb69137826219ac109583be0ca51b1f59aa7a9fc54a46fb761f15865ce1b1c3a7e4faf76ab790d267bd1c4b82770f803f32475a093c49

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
34KB

MD5
b9d0f0c01f376a7e44e82056b0af4d62

SHA1
26f613fc3245b4f28ccd74197926b2731d120b59

SHA256
74ef7e1e44929a9abdeac2fb6335012f6720283bc5e69a38b012b2312b31c04b

SHA512
9aefde79597b2e5ac49bb52e32bef2cb7b93b29fce18ed4495fa790f73d8d0b73042cf9712c359a31917f5efa089962b2692c7f2303dc16d3b07cea69186b7d0

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
12KB

MD5
13fdcf795ae1e23f01939b6da6c3163f

SHA1
6c8d141875d1c7d5a6bff363da0ef6c3219fd604

SHA256
53df8ef30a5f6bb33474aeda47df47329ddc7fb945c02455a7261895cf455e5a

SHA512
7265805778528aa90304d1a1eac855ef631271f25d59f14861221a7f6b94e1e3069db24fca311bd54ac812febae825895e8d215d72ec0503afc17005f56eaa06

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
33KB

MD5
0ee975422e8efd9e34f4d3500cff47ef

SHA1
260be99fbdf158cf2206b10be73782993167557c

SHA256
cb762e8a6d819c737d5eace14d1339d5c0b0b76cd452223bb0c1535ea4c22c3a

SHA512
73cf9c995ef6f5c8f829dca1e9ca0d5bd50bd71759cda54ccfc0ac7e54ebd0e653a5c76b1c533abe2523f87f7eed9f5447811df6069f8396a79e5a6243845538

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
8KB

MD5
8b524ad71afbe5e90b81a612bc07dffd

SHA1
977c9c4f0af8a17998c56f62b96593e1ff3d9d22

SHA256
86ff0fa54def8abab0955a2e83a496e249ec6bf6799ed69c1a76ae167cacd6a2

SHA512
cb47cbf665f6507afe041774db35642dcffa04412dac46408ce233a274f06e8065a128667b53c70390549beaa91ec1cced5d5cb5f4739d3295ac9d02c80fa877

Download Submit
C:\Windows\SysWOW64\Mkklljmg.exe

Filesize
30KB

MD5
1fb97a080ad031ad3b7ca3375fb8a395

SHA1
8070b61dbed21476ee44e821e8a80a8a18668fcf

SHA256
4485716908796be91ef02dd5d56c152af6d7ee6976344623a06ef2d814aef13a

SHA512
ffe1f4324d4c78e6bba4eb16683afc5e8a2abddbeaab3a15d1a2b19a7d1195694d5d5f6328338515e290638382f1d331cabf84be1dacd472c46dccf0b4c4bc3a

Download Submit
C:\Windows\SysWOW64\Mkklljmg.exe

Filesize
21KB

MD5
d96fa37d4a18b47ec46f5855c9974577

SHA1
bef66bc6707a8f83dc5f9cf10ad3baf383717814

SHA256
0b47a22e4bc77302bd09a753bcdaba44f32378e1abb6196a87f4816981146832

SHA512
1c87341cbc47056fcf336ab6ebf91bf3ef25813931b4cffc674a17d1e6cecd0ecbe6dd3355097737c736c13a855f551d65be66c8bdc717b206b7341414e37cc7

Download Submit
C:\Windows\SysWOW64\Mkklljmg.exe

Filesize
1KB

MD5
0aaea4a3262610be142804111dbba5c2

SHA1
6ca4ecdf065880462571d4c13cf4685b66ea62f2

SHA256
6d7294d1bb440d0969fe9f5e71790242c673d980a1cf9ca0adf8536ef218f5f8

SHA512
d9a2f917d9ba694bca272adac1434f6f3096f74fa96c90cef088750516b0a64f9c81ea34cb558f883d29006afc0c9c3c457a4bddc19df630aeba81c802ebc9c8

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
24KB

MD5
ff295411505c91e6363941c09cbf757c

SHA1
c309c646ca735b6699f6f6d6595dbfa3843c8d3e

SHA256
3b49b7e06ca15ade34df59cb22d3db87dd5476a3a99da8d0304f5191abda1f1f

SHA512
46b974760527bf7c6bec80ef858c867078a9aa35daa4e2df7f9c9131c7c2ebf04529494f066fe06ba7e3aaf1096dc5fb327ef94c8d7a124100d07db2df271098

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
44KB

MD5
f47f6ec70e6ae59ce23770404ab0cb61

SHA1
69ea836bf4e633aeca4c4c11cacedf9522c39bc5

SHA256
0e40738ce736f8e858e79782506419c6cf2f87cc67357342b6dd804fcde6c24c

SHA512
8460ba494714ee367ec765b4eb4dfd8fdcf7b43be16a67292eb6485e2d9ca0753ad6f7102a31774ce6a975523c219dfdbfc66ac085b448479fdff49733f6ecc7

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
9KB

MD5
8813a87af56b86e65d97ee1de8ebf8e3

SHA1
a9cf425975695b70a496e1dfb39c59fdf5f9ca20

SHA256
4cab17dda17d590e7a1bbe41c12c7292efd658079c84ee3e621eff409520ffd9

SHA512
900949d8ae201b3e786ecd8af45f3d89ded82c8e04ce5e5c8b979a51ff5f15cb0f00b85c286158b601130d2218244c37bcab5d1cfb1c700bd6004f418e824f36

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
39KB

MD5
cf205fd35535e38a606555d2d68576da

SHA1
03d2ecbbe549f6bf0663fd3130d0ec820c1b2bc4

SHA256
02281e8753be89303e574d496fdfe9e50948c2a9e6dfd2f65fe1da00b632e4e7

SHA512
3dd36291b527184e5187a25858c1424d1579b6d1781da10ded7292dcc2aa685129f7f18f7a0ce058e5f89fd4de625417f5672aa9500a623f6a844f143d6a2f0c

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
3KB

MD5
40e974f06dc7f700094e43d2e6813586

SHA1
634785f2adaeef848f915867669e43c4eaea187f

SHA256
f0fb47a04b796949f4114b54a713050753a43bfd44c6ae75c6576616860cb227

SHA512
471209f9808ffe386953379488a728ad7f40f0bd95b03b4538578885926592979628a976a39ac2a46ca8c9bfcada8327bece8ca802ae4d3a8d629c73fce93c1b

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
30KB

MD5
3b60e58766d6717f525f81bc47fbdcab

SHA1
ba92590c800448df5d6e933075cf0eb0458e8b38

SHA256
78c55b0903405020dc9e1ed992a9c561c9bb6fffa7e48f5a56ffaf348bd93716

SHA512
c9341ae2c3b35a633c5395a65825cba2c8090160e0aca196b0edb9ccdefdcaa5d5aed583fce58f1387af850325a5d0cceca4d8459109876134802485e959779e

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
304KB

MD5
8e449472dce9ee36f510aa9b075a37f6

SHA1
86a64e81a74a100dba55c7b3acad39fd23832b6e

SHA256
68456fc5154084c2976d8886510c60ada983a1e6f4ef255552b23a77a798b6a5

SHA512
59a0ffdeb4e8e36f6abef71c0a3e817d3dc71a4d41fdd220fef1f55ceb795becb680b8529edf7ee22ae4f1ed49d62c8d5de08bcfbeb5f81a6e318008c82af4f0

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
194KB

MD5
3f37230c693a1360da081c8331d1d43d

SHA1
ae7b9e840d684192d8017940a0c68086979d34a0

SHA256
d2b2fe9ee67c2c64563f54abd231c72532e6f96a498ea05689ddb759f3a45ae4

SHA512
a13344dac17158a02ce5bac71582712ee96bf846ee76c704eed63ce9ac8c2df9ba41266ec7d6652e2690f0993a8af337e2a359e6fcee90499802c7f005dbf2d1

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
190KB

MD5
0dd52767aaa1b5783c9fafac8c300959

SHA1
a6522e127e2665a3ffa058c29cd4fe012402d4d5

SHA256
3971e0511dfa319f9c6603e4e82812083199d2887fff27d121c74172eccdd45e

SHA512
e76f96318963cab48f352b31d0228f3d3e8bd37d1143e73e6bdaef7fa3bf111f0b0f8d62605917be47317bcf83c070f010aba6e773d211214b1c21b6084b609b

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
56KB

MD5
3467bbfa5d5bd2720d6fb695bde96922

SHA1
1e463d7593a88195697c33977089db3bc9d42328

SHA256
2499e3deb839c1b773be75f5bfc9ae28e73341e851b435fa2e1262ddec5ad68a

SHA512
a74b6af51b56863d2bcb448d69093e36593f78728a9df144ae1e736579a99310c10fb343e1fab489d374b756efc8f16f3d02a2b7f14a416e824b361d6ca01a2e

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
77KB

MD5
2ceaa32fc3c01b5360ac3b65910ec4d4

SHA1
b66dc77a1af2bdd41e6eab2e560d9a0a18814906

SHA256
583bf34dd689b078b30dceb2bdcc23e41af4f4be4d1cad2990b57061653f6d8e

SHA512
a7a4896a5bcc68f3696b598bbfa4ec3bacad92867e57221e5183cd8a6ddfdccd8a9d4eb9ab4826889a3c615c3c30faefff15a20a0ff7adf8b22e6ee97994aa19

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
386KB

MD5
8bcf22e935f3a406557384c7014c037c

SHA1
9832ab9ad1abb7058630ea841ce818ef50e7aab9

SHA256
813a184e21c7e753be16c61908a5f12ccbad0ff30f087e653d9b49090e09b5b4

SHA512
7adf12a9ec0ae71a30fd5ae51e6f8af8fc3b8d6773c937025942b8db37dbb760b5693cecf7859f7897c38533dea67b2ca9ce920ea9aa539dc0dbd007a628f693

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
355KB

MD5
8ad7588187482de2c4a422e15975b33f

SHA1
046722215c6ad90d97586b4cb77110cfc1ec4d1e

SHA256
c261141a4be42fb66d629af14502ce1ee75df91deecf2eb4485c5e303b48744d

SHA512
684573df1dbd22c58a930e1936bbdba2f2ce0d214488095d8bed223ff2e5798bea9706e7c6600f00bf0acc177993e94c66e7f850fa88d147a7392062fe5410c3

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
193KB

MD5
099c4cee2ec09d83c7c162660f477f40

SHA1
f31c1e7b692fe4a876876a2dad06d7296091352e

SHA256
bef2e552ba7c490e78a8f8dec896214cb8477c95e91f181445f61f257f5eb4fb

SHA512
fb034b0c714c196ce632cd3caf5ec6d0e383599651b08654f6834cd0a9d11e221f93c9838a7f2f39025b472f13cddffae3788822ca152c8ddd1b25a0aeb28b60

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
124KB

MD5
85ccd7a1b09c21b965699c77eab97b60

SHA1
503a5acf7b42b0aee184f12ebc8f754b03bd504c

SHA256
852b7af4398aafd3bc396ec01621d2ef9c3845e520abc2fe656c9329ec2e9dcc

SHA512
bf62537448d970f84df7415d6472a4709abacaf1d704d05ed0cf39e73441bad913ed7ea42d87ef9e60d3b42f2eeef1f973d33e36386e4fe89f989cd4cb7056f9

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
225KB

MD5
96315a936eea66f264a35ca597c13e25

SHA1
55cbcde399d987a8ffe0cba0afcaa9ba8149bc8c

SHA256
cb23a865dc2c37b1b1ef609f968b0f95a97fe50f3868c8685b4775d73c8ba63d

SHA512
e56253083847ead74716c571fe4e64fa590c6a75bc05466546493dc76686e79153cd5050903adab89bc52f79f9163fa5634bb3031196527c41a5e7b99c052869

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
185KB

MD5
3432491b57a55fc08a370940ef348eca

SHA1
4c1d1dbe9999a67f91c677739f0cb24866726640

SHA256
3de0c28a73c8b68f791c439a5c2e84679c70e80772ab292ed56ea90d14698917

SHA512
6badcbe177f24ed4f93ef48b802cc9b36e21b2d41b906f3ed6b9e9bff6593b7a75ebe1fde4decde4282bf4f659da4316e4cc6e2d44e1280dd176deffcc1bedd8

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
97KB

MD5
797e3d9277ea38f1d3cc13a2e4005aca

SHA1
5332450e484113a5678375f2d4f105424b866ba6

SHA256
2255c722b1fa45672a4a8afcfe6334c003e5383f3e4b1231b2087c1a23824d05

SHA512
bf5b7ee828eebddf0ee068a5ecba1ad22c55d9280ac900d4eba09828454b97d70921f11c312e6397942eec6121db38db0b6489cf1605a5e0f6a63f3402593c2f

Download Submit
\Windows\SysWOW64\Mdacop32.exe

Filesize
48KB

MD5
5ab3b2978f71166727ca6ff127efe58f

SHA1
bbd857aa8f1b9711610eb30cb17d5a3693077681

SHA256
f42d9447a586af89b431c37d26c1eed51ac29682f46b36eac653f427c620b3fc

SHA512
c103200fe06235872f03fe30019b53baec9e2f9db88d83e5dd777ff443716e0657585b8b10582a47245c6a6abe4ea52a1464adfed2de480acc6ba6b71bddfa62

Download Submit
\Windows\SysWOW64\Mdcpdp32.exe

Filesize
33KB

MD5
9ff191789938cf00727595bd4cabf3ea

SHA1
6bd0287e8ab89532e430b13681f483f549545cc2

SHA256
a5c9f669e65abaa7d6be6ef517d53d60d6b98a1e915bdc1584236e4eef8ba578

SHA512
0157c5fad26f39b09d73e4983baa7e8d71189f169e096bc85cf20e9cce67f8d943089b8d9641da21ad88b210b655312bac63f2066869b71a94544b9a57728aa6

Download Submit
\Windows\SysWOW64\Mdcpdp32.exe

Filesize
14KB

MD5
2ccbd13d53131045b350777623d47214

SHA1
4eb991e36b60818baa23b4ce831d69135577dfc7

SHA256
83b2a14b44bd928a3a0ffae3c6aeeeb14e4933464138938f87941d2511983c6e

SHA512
df047d9d8c528bcc0bbb7476db4620eca6bc57c24a9ef30f57dc820daa483a211d19db4c43daafd1c0ef523b6ff1c1c55db3c819d982d5e6651172e16e254c39

Download Submit
\Windows\SysWOW64\Mgalqkbk.exe

Filesize
11KB

MD5
8758aab431d70e7817c2190bbe5ad498

SHA1
b1badf2226f0914a0f442fc84f2faaea1d3adab9

SHA256
10b3e4e5ab53639c7d24465102b65805e12bca714a2c6c7b2f7cba5fea436075

SHA512
835cc72e55309edc1f0a6e625f4e93111676e6666abdb21127420c2ea38e89e8f0287626124412d3ceac7e509cce6a22003b16728189f99f19c06a86169d2627

Download Submit
\Windows\SysWOW64\Mgalqkbk.exe

Filesize
42KB

MD5
734d69b6aae3f37168f1c145d0a3ed8d

SHA1
b9de53f526e232cf7b8aed4b073ffa750150b75f

SHA256
b6aa5948c2e597950363bec164f7b9fe0ddeb5b0e504395781614bdb7ec51e48

SHA512
e271b9d824db4cda658a811e78303ec9184e99f65d32e3615af0272d2ba74c6060291d3aa4ed4dfd0d772050d88f09162b8c2e529f5c93215637a54b48a15738

Download Submit
\Windows\SysWOW64\Mkklljmg.exe

Filesize
28KB

MD5
cf9314ce5f054c621ef0f4e226933133

SHA1
1e76d22bb3fe275ca05441d46bb30ea0ec616092

SHA256
a9732040cfcb09aaa47784ff0b7a46d27bd53552be64469d788bcc507d5c60b1

SHA512
a0e28a7519f0bb847e852def33465d796fa90555ee66597f758a3f0117988eee81bb6c136dc7be969e6506bf64ce912d95853b58b27a7a24153d7ed156872d3c

Download Submit
\Windows\SysWOW64\Mkklljmg.exe

Filesize
55KB

MD5
37197a13753a0c48e4bcb37da027bb09

SHA1
e6807a22d3b027615bce2ede3a3ee643dba6a214

SHA256
10130b4c99a88da70a27de4518801dc71911299605baf06a84e6a217a838cdb5

SHA512
90d59304b6f91306b62aebfc24f4f9736f45c57463ecfd8b4e6360e8b2e13cbae94bfaf47170a4824c5a522c473d34d7a5fec1b6ec1a6d9d05243b80f4a2ea99

Download Submit
\Windows\SysWOW64\Mmihhelk.exe

Filesize
29KB

MD5
c2c23cbeb5b5f0dd203861d8cd2e7740

SHA1
ca43e86ac7d9667924a240749a75d54d514453ce

SHA256
e4890235f8ae41d10ca1b717d8c3fd8548f517eecf498e0e3857c9754fea6b9c

SHA512
c78933a81759da6715c47016803c18ffbe517b8ff32ea17289ce05a95da94d74524a1ad28b424044a75a2340645be5efe629c73bfe4e05f6c8bebbb2a975fdcc

Download Submit
\Windows\SysWOW64\Mmihhelk.exe

Filesize
20KB

MD5
43616582bcb60ca23fc5fd3b984ca964

SHA1
256e76d6ff4c485156b02abfa64a55bb473e84bd

SHA256
7816a8c2fb870d86455f46ce0cc567b801ee69bfa77fc3f3ee896860c45cb9a2

SHA512
11540362ac4e7c1b0596439559e35bb0398c7ddec24dcd2982d8dd8863f1c81e0667f76d7de147edee78c892ecc7609f3ae8656de713466b29a3e50a22818f14

Download Submit
\Windows\SysWOW64\Mmldme32.exe

Filesize
12KB

MD5
8e98b10ff8301357ad4ad841c67cbd49

SHA1
f0d433339bb7a897bccedf1042f0d7bb9fe42a6f

SHA256
04db8d595e0efbdf5859d81e008930a08ffaa204770c1931f68909ecd529811f

SHA512
42d960a1c0ed98eac211070a65852186a9caa30de501782997b5f32d87d027d0d705a49d6ffa4a324b7df20bc87ea6c808ebd86f13a89fdbf5a576f4daf5f8de

Download Submit
\Windows\SysWOW64\Mmldme32.exe

Filesize
7KB

MD5
5b8ccc3b1de0a73bab33e521ae02dc3b

SHA1
72c55ae701b2c9d7737af793dd10751dffcd3f58

SHA256
3e7e2cdc25e74e0be79d556d931591c5e916be38117cefb36bb51c6d564fc41a

SHA512
0f0cc3ddbd550416ed64f593985db987a10d4be2fbfb85f38366d57cb310f6ad04d0407f2de4b2aed5ed1c7b2b40cc4f09f55754105dcba0a88c6ba0b2c9a12c

Download Submit
\Windows\SysWOW64\Nckjkl32.exe

Filesize
350KB

MD5
9e012539af38210b54e40e47a557ec17

SHA1
6f807c1653b3411a7425fde31d30ac980741a02f

SHA256
fded371180e23bfeed15a4178ad43fdd262406d7b73d55830e6806b42b79ee8d

SHA512
5834abfe25fb3dce6d9c3d89bb37424c7ff417abab027d949d6150f082ff80357e79e48d83520335f00df30d78dbd1270577af2a7a26b3182327e3b3c51982cd

Download Submit
\Windows\SysWOW64\Nckjkl32.exe

Filesize
386KB

MD5
eef1f28aff32ec0ccc1b7dff3d029a7d

SHA1
010ced41294963a009cfe1107d6250921f953964

SHA256
ae84693c8662f971a618984d3a3b31812c73949f670a8b42ad15e69c3dde78a6

SHA512
77132ea9af147fdf80d96580c091ac4846c37ef807674967fad1614ad3c621afea7656d59e8278aa736ae6b42b306d4e0a6a5b24b200a118dfd61fdd51177dc4

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
65KB

MD5
f9d868b55231877379c6280c5df0c685

SHA1
6c5b9f1d83b41b76a292c2b07457fdadf9c3db02

SHA256
3c381d12c51d395c46ead5bd45d242369b93823d918bbca8cf211ebd78e7c0e9

SHA512
5b97a17d57a1aa1e2ce41785f5c00ae47b616e3e658ec1f33cbb6ea8eaa80c028b8b4133335d070a98b8094781544b0dc771543d9831baa4fa5509fd260a2f29

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
65KB

MD5
0a043390115efcae56d78c8a6f4711c0

SHA1
3222c7707b9d1f3f7fbdf9c1924b2c0c61bcc537

SHA256
b29c076c56b77153f40a50aa900adbfa88910e95843893403ce7e2492de1fc9b

SHA512
30cf9f9f2581229d3692aadd6410ebce74b35a5d31bf936b4de78b37164c661150920bcaddc666ba698d7a400a96c35fbdc11633407e357aa7c515920ccc0d7a

Download Submit
\Windows\SysWOW64\Nhaikn32.exe

Filesize
39KB

MD5
5c71a28a5d4f0b1367f250bc7b5a690e

SHA1
5f3f9d20435853a45a1ea71caba2e32e16e98cd9

SHA256
68d56cb9c21eb7b1a9c978b47e7b1ed3890c5bb4cf42e021e0de2a885094d214

SHA512
8eab102dab4c43c0d35768173cbf2c3f3a863de8a0ee089c0ab20deee4bdb780b0dd9516f640d039c1366c48f094b41986623864d78d14c4ee062fcc603ed860

Download Submit
\Windows\SysWOW64\Niebhf32.exe

Filesize
132KB

MD5
21dda8213893e92c939f613a6badfba3

SHA1
f41e73b1ff5a07361d8af3ae44a2ccd39d806d0c

SHA256
8635be78643f2598b659ffde50b879a14e79425680149fd0b825339b38b52b16

SHA512
c83d43eb4acf44b03cd2aa0bf448928834a8bc510d2358f67114c868266d8741c636d62ba08ec94218516161084c98d06f6fad39a93a383feea88efb313086bf

Download Submit
\Windows\SysWOW64\Niebhf32.exe

Filesize
92KB

MD5
466ae7307cab10272beb115f2495bc95

SHA1
dc32b4c6c99cbcc804e412fe78c16284bdd8d13f

SHA256
9b8aed7aec75495ba79208b05e6758b5a6390b09144bcf7f9b72e326cda69412

SHA512
8f91da9d6b974a8aff7be5ea0b85b95a92645b7bd2010082bf3ec7a21480192869c1af016a432fa14d0340b0f81d3636cce58a06bd7bc135aa089e0b06673d9a

Download Submit
\Windows\SysWOW64\Npojdpef.exe

Filesize
106KB

MD5
bd754c4ab8110aa244770944cc422bf0

SHA1
126ad1a92e76ba4d3264e3d106d38410fc39d7f8

SHA256
9246a2ed20332989d3f71e4b9cc54c89b62386bae833186bde7a9e726a973048

SHA512
896e14a979f1572f9f5c911b9c79cfcce660e3b0ca6d409cf4dec65fb07d6075ac65952c4bf2a75b6b3e8aa32690f711136b13351422a5974192f444a0bbd357

Download Submit
\Windows\SysWOW64\Npojdpef.exe

Filesize
66KB

MD5
f923d1d254bb10da549ac70c79ed3b7d

SHA1
5e26045064f2bf6132e166349ff3a2839ab9f8a9

SHA256
12729f5816440c4ef8fa6486c96cdd1156bd1b887eb08378a0223847d0c46182

SHA512
6ca7a3abb4d46ff292e57bcb55d5c8c85047832b9044241ebf79d29f2c018f68a6f23a4aecbac17372b9cbcc087f13e1a952a04fb6ae4788c05bca7629a9f3ce

Download Submit
memory/268-131-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/268-144-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/872-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1512-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-173-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-185-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/1924-201-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-200-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1996-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-6-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2008-13-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2456-198-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2456-104-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2456-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2480-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2480-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-194-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-61-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2772-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-118-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads