Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe
Resource
win10v2004-20241007-en
General
-
Target
a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe
-
Size
128KB
-
MD5
b9b8365aa367f971c9b0c5d0a4a005f2
-
SHA1
9c294bd2fe72a75e08ae2da2bdad4c368a73c745
-
SHA256
a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7
-
SHA512
3720e4997b144487072bca3fe0d3a8667b3ce42e81917ed8e794cbb16b9ca34a5a28d63ceb5bd6743e292b0724cd33cf22841afd71c201a3b42158702af81ced
-
SSDEEP
3072:eXc3kLXD6kIz4IkNvI1oE+iCLs+8BJGmwDcUg8VLY3FQo7fnEBctcp:JkLX2dz4Ik9soE+iCLs+8BJGmwDN9pYK
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs
Processes:
Legmbd32.exeMapjmehi.exeMholen32.exeNgdifkpi.exea97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exeNcmfqkdj.exeMeijhc32.exeNmbknddp.exeNkpegi32.exeNckjkl32.exeNiebhf32.exeNpagjpcd.exeNodgel32.exeMaedhd32.exeMmldme32.exeMagqncba.exeMabgcd32.exeMigbnb32.exeMdacop32.exeNiikceid.exeMbkmlh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Legmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngdifkpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mapjmehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbknddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nckjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maedhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmldme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magqncba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Magqncba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkpegi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niikceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdacop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maedhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmldme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmbknddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbkmlh32.exe -
Berbew family
-
Executes dropped EXE 21 IoCs
Processes:
Legmbd32.exeMbkmlh32.exeMeijhc32.exeMapjmehi.exeMigbnb32.exeMabgcd32.exeMdacop32.exeMaedhd32.exeMholen32.exeMmldme32.exeMagqncba.exeNgdifkpi.exeNkpegi32.exeNckjkl32.exeNiebhf32.exeNcmfqkdj.exeNmbknddp.exeNpagjpcd.exeNodgel32.exeNiikceid.exeNlhgoqhh.exepid process 2660 Legmbd32.exe 2556 Mbkmlh32.exe 2532 Meijhc32.exe 2580 Mapjmehi.exe 1896 Migbnb32.exe 2804 Mabgcd32.exe 2388 Mdacop32.exe 1192 Maedhd32.exe 1544 Mholen32.exe 1872 Mmldme32.exe 2760 Magqncba.exe 2428 Ngdifkpi.exe 1780 Nkpegi32.exe 2156 Nckjkl32.exe 2244 Niebhf32.exe 1720 Ncmfqkdj.exe 2360 Nmbknddp.exe 2364 Npagjpcd.exe 2020 Nodgel32.exe 1776 Niikceid.exe 2612 Nlhgoqhh.exe -
Loads dropped DLL 46 IoCs
Processes:
a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exeLegmbd32.exeMbkmlh32.exeMeijhc32.exeMapjmehi.exeMigbnb32.exeMabgcd32.exeMdacop32.exeMaedhd32.exeMholen32.exeMmldme32.exeMagqncba.exeNgdifkpi.exeNkpegi32.exeNckjkl32.exeNiebhf32.exeNcmfqkdj.exeNmbknddp.exeNpagjpcd.exeNodgel32.exeNiikceid.exeWerFault.exepid process 2812 a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe 2812 a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe 2660 Legmbd32.exe 2660 Legmbd32.exe 2556 Mbkmlh32.exe 2556 Mbkmlh32.exe 2532 Meijhc32.exe 2532 Meijhc32.exe 2580 Mapjmehi.exe 2580 Mapjmehi.exe 1896 Migbnb32.exe 1896 Migbnb32.exe 2804 Mabgcd32.exe 2804 Mabgcd32.exe 2388 Mdacop32.exe 2388 Mdacop32.exe 1192 Maedhd32.exe 1192 Maedhd32.exe 1544 Mholen32.exe 1544 Mholen32.exe 1872 Mmldme32.exe 1872 Mmldme32.exe 2760 Magqncba.exe 2760 Magqncba.exe 2428 Ngdifkpi.exe 2428 Ngdifkpi.exe 1780 Nkpegi32.exe 1780 Nkpegi32.exe 2156 Nckjkl32.exe 2156 Nckjkl32.exe 2244 Niebhf32.exe 2244 Niebhf32.exe 1720 Ncmfqkdj.exe 1720 Ncmfqkdj.exe 2360 Nmbknddp.exe 2360 Nmbknddp.exe 2364 Npagjpcd.exe 2364 Npagjpcd.exe 2020 Nodgel32.exe 2020 Nodgel32.exe 1776 Niikceid.exe 1776 Niikceid.exe 1968 WerFault.exe 1968 WerFault.exe 1968 WerFault.exe 1968 WerFault.exe -
Drops file in System32 directory 63 IoCs
Processes:
Mapjmehi.exeMmldme32.exea97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exeLegmbd32.exeMeijhc32.exeNmbknddp.exeMdacop32.exeMholen32.exeNgdifkpi.exeNiebhf32.exeNkpegi32.exeNiikceid.exeMaedhd32.exeMagqncba.exeMabgcd32.exeNpagjpcd.exeNodgel32.exeMbkmlh32.exeMigbnb32.exeNckjkl32.exeNcmfqkdj.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Migbnb32.exe Mapjmehi.exe File created C:\Windows\SysWOW64\Elonamqm.dll Mmldme32.exe File created C:\Windows\SysWOW64\Ibddljof.dll a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe File created C:\Windows\SysWOW64\Mbkmlh32.exe Legmbd32.exe File created C:\Windows\SysWOW64\Ecfmdf32.dll Meijhc32.exe File created C:\Windows\SysWOW64\Mahqjm32.dll Nmbknddp.exe File created C:\Windows\SysWOW64\Maedhd32.exe Mdacop32.exe File created C:\Windows\SysWOW64\Cgmgbeon.dll Mholen32.exe File created C:\Windows\SysWOW64\Afdignjb.dll Ngdifkpi.exe File opened for modification C:\Windows\SysWOW64\Ncmfqkdj.exe Niebhf32.exe File opened for modification C:\Windows\SysWOW64\Nckjkl32.exe Nkpegi32.exe File created C:\Windows\SysWOW64\Nlhgoqhh.exe Niikceid.exe File created C:\Windows\SysWOW64\Almjnp32.dll Legmbd32.exe File created C:\Windows\SysWOW64\Mholen32.exe Maedhd32.exe File opened for modification C:\Windows\SysWOW64\Magqncba.exe Mmldme32.exe File opened for modification C:\Windows\SysWOW64\Nkpegi32.exe Ngdifkpi.exe File created C:\Windows\SysWOW64\Ngdifkpi.exe Magqncba.exe File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe Magqncba.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nmbknddp.exe File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe Nmbknddp.exe File opened for modification C:\Windows\SysWOW64\Legmbd32.exe a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe File created C:\Windows\SysWOW64\Cpbplnnk.dll Mapjmehi.exe File opened for modification C:\Windows\SysWOW64\Mdacop32.exe Mabgcd32.exe File created C:\Windows\SysWOW64\Mmldme32.exe Mholen32.exe File created C:\Windows\SysWOW64\Nodgel32.exe Npagjpcd.exe File created C:\Windows\SysWOW64\Niikceid.exe Nodgel32.exe File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe Niikceid.exe File created C:\Windows\SysWOW64\Lamajm32.dll Niikceid.exe File opened for modification C:\Windows\SysWOW64\Meijhc32.exe Mbkmlh32.exe File created C:\Windows\SysWOW64\Daifmohp.dll Mbkmlh32.exe File created C:\Windows\SysWOW64\Mdacop32.exe Mabgcd32.exe File created C:\Windows\SysWOW64\Kgdjgo32.dll Niebhf32.exe File opened for modification C:\Windows\SysWOW64\Niikceid.exe Nodgel32.exe File created C:\Windows\SysWOW64\Meijhc32.exe Mbkmlh32.exe File created C:\Windows\SysWOW64\Llcohjcg.dll Migbnb32.exe File opened for modification C:\Windows\SysWOW64\Niebhf32.exe Nckjkl32.exe File created C:\Windows\SysWOW64\Fcihoc32.dll Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Mholen32.exe Maedhd32.exe File opened for modification C:\Windows\SysWOW64\Mmldme32.exe Mholen32.exe File created C:\Windows\SysWOW64\Legmbd32.exe a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe File opened for modification C:\Windows\SysWOW64\Mbkmlh32.exe Legmbd32.exe File opened for modification C:\Windows\SysWOW64\Mabgcd32.exe Migbnb32.exe File created C:\Windows\SysWOW64\Nldodg32.dll Maedhd32.exe File opened for modification C:\Windows\SysWOW64\Nodgel32.exe Npagjpcd.exe File created C:\Windows\SysWOW64\Migbnb32.exe Mapjmehi.exe File created C:\Windows\SysWOW64\Pdlbongd.dll Mabgcd32.exe File created C:\Windows\SysWOW64\Fbpljhnf.dll Magqncba.exe File created C:\Windows\SysWOW64\Nkpegi32.exe Ngdifkpi.exe File created C:\Windows\SysWOW64\Mapjmehi.exe Meijhc32.exe File created C:\Windows\SysWOW64\Mabgcd32.exe Migbnb32.exe File opened for modification C:\Windows\SysWOW64\Mapjmehi.exe Meijhc32.exe File created C:\Windows\SysWOW64\Macalohk.dll Mdacop32.exe File created C:\Windows\SysWOW64\Cnjgia32.dll Npagjpcd.exe File opened for modification C:\Windows\SysWOW64\Maedhd32.exe Mdacop32.exe File created C:\Windows\SysWOW64\Nckjkl32.exe Nkpegi32.exe File created C:\Windows\SysWOW64\Kcpnnfqg.dll Nkpegi32.exe File created C:\Windows\SysWOW64\Ncmfqkdj.exe Niebhf32.exe File created C:\Windows\SysWOW64\Ngoohnkj.dll Ncmfqkdj.exe File created C:\Windows\SysWOW64\Dnlbnp32.dll Nodgel32.exe File created C:\Windows\SysWOW64\Magqncba.exe Mmldme32.exe File created C:\Windows\SysWOW64\Niebhf32.exe Nckjkl32.exe File created C:\Windows\SysWOW64\Nmbknddp.exe Ncmfqkdj.exe File opened for modification C:\Windows\SysWOW64\Nmbknddp.exe Ncmfqkdj.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1968 2612 WerFault.exe Nlhgoqhh.exe -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mdacop32.exeMholen32.exeNkpegi32.exeNpagjpcd.exeNlhgoqhh.exeNgdifkpi.exeNiikceid.exeLegmbd32.exeMbkmlh32.exeMapjmehi.exeMigbnb32.exeMagqncba.exeNmbknddp.exeMeijhc32.exeMabgcd32.exeMaedhd32.exeNiebhf32.exeNcmfqkdj.exea97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exeMmldme32.exeNckjkl32.exeNodgel32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdacop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mholen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npagjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhgoqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdifkpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niikceid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkmlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapjmehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magqncba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbknddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meijhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maedhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niebhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmfqkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmldme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckjkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodgel32.exe -
Modifies registry class 64 IoCs
Processes:
a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exeMeijhc32.exeMigbnb32.exeMdacop32.exeNckjkl32.exeMbkmlh32.exeNgdifkpi.exeNcmfqkdj.exeNkpegi32.exeNiikceid.exeMaedhd32.exeMmldme32.exeNmbknddp.exeMapjmehi.exeMabgcd32.exeMagqncba.exeLegmbd32.exeNpagjpcd.exeNodgel32.exeMholen32.exeNiebhf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibddljof.dll" a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll" Nkpegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niikceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll" Maedhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll" Nmbknddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Magqncba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll" Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maedhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkpegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Magqncba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngdifkpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npagjpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll" Migbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmbknddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbkmlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meijhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll" Mabgcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll" Mholen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npagjpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almjnp32.dll" Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbkmlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdacop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nckjkl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exeLegmbd32.exeMbkmlh32.exeMeijhc32.exeMapjmehi.exeMigbnb32.exeMabgcd32.exeMdacop32.exeMaedhd32.exeMholen32.exeMmldme32.exeMagqncba.exeNgdifkpi.exeNkpegi32.exeNckjkl32.exeNiebhf32.exedescription pid process target process PID 2812 wrote to memory of 2660 2812 a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Legmbd32.exe PID 2812 wrote to memory of 2660 2812 a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Legmbd32.exe PID 2812 wrote to memory of 2660 2812 a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Legmbd32.exe PID 2812 wrote to memory of 2660 2812 a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe Legmbd32.exe PID 2660 wrote to memory of 2556 2660 Legmbd32.exe Mbkmlh32.exe PID 2660 wrote to memory of 2556 2660 Legmbd32.exe Mbkmlh32.exe PID 2660 wrote to memory of 2556 2660 Legmbd32.exe Mbkmlh32.exe PID 2660 wrote to memory of 2556 2660 Legmbd32.exe Mbkmlh32.exe PID 2556 wrote to memory of 2532 2556 Mbkmlh32.exe Meijhc32.exe PID 2556 wrote to memory of 2532 2556 Mbkmlh32.exe Meijhc32.exe PID 2556 wrote to memory of 2532 2556 Mbkmlh32.exe Meijhc32.exe PID 2556 wrote to memory of 2532 2556 Mbkmlh32.exe Meijhc32.exe PID 2532 wrote to memory of 2580 2532 Meijhc32.exe Mapjmehi.exe PID 2532 wrote to memory of 2580 2532 Meijhc32.exe Mapjmehi.exe PID 2532 wrote to memory of 2580 2532 Meijhc32.exe Mapjmehi.exe PID 2532 wrote to memory of 2580 2532 Meijhc32.exe Mapjmehi.exe PID 2580 wrote to memory of 1896 2580 Mapjmehi.exe Migbnb32.exe PID 2580 wrote to memory of 1896 2580 Mapjmehi.exe Migbnb32.exe PID 2580 wrote to memory of 1896 2580 Mapjmehi.exe Migbnb32.exe PID 2580 wrote to memory of 1896 2580 Mapjmehi.exe Migbnb32.exe PID 1896 wrote to memory of 2804 1896 Migbnb32.exe Mabgcd32.exe PID 1896 wrote to memory of 2804 1896 Migbnb32.exe Mabgcd32.exe PID 1896 wrote to memory of 2804 1896 Migbnb32.exe Mabgcd32.exe PID 1896 wrote to memory of 2804 1896 Migbnb32.exe Mabgcd32.exe PID 2804 wrote to memory of 2388 2804 Mabgcd32.exe Mdacop32.exe PID 2804 wrote to memory of 2388 2804 Mabgcd32.exe Mdacop32.exe PID 2804 wrote to memory of 2388 2804 Mabgcd32.exe Mdacop32.exe PID 2804 wrote to memory of 2388 2804 Mabgcd32.exe Mdacop32.exe PID 2388 wrote to memory of 1192 2388 Mdacop32.exe Maedhd32.exe PID 2388 wrote to memory of 1192 2388 Mdacop32.exe Maedhd32.exe PID 2388 wrote to memory of 1192 2388 Mdacop32.exe Maedhd32.exe PID 2388 wrote to memory of 1192 2388 Mdacop32.exe Maedhd32.exe PID 1192 wrote to memory of 1544 1192 Maedhd32.exe Mholen32.exe PID 1192 wrote to memory of 1544 1192 Maedhd32.exe Mholen32.exe PID 1192 wrote to memory of 1544 1192 Maedhd32.exe Mholen32.exe PID 1192 wrote to memory of 1544 1192 Maedhd32.exe Mholen32.exe PID 1544 wrote to memory of 1872 1544 Mholen32.exe Mmldme32.exe PID 1544 wrote to memory of 1872 1544 Mholen32.exe Mmldme32.exe PID 1544 wrote to memory of 1872 1544 Mholen32.exe Mmldme32.exe PID 1544 wrote to memory of 1872 1544 Mholen32.exe Mmldme32.exe PID 1872 wrote to memory of 2760 1872 Mmldme32.exe Magqncba.exe PID 1872 wrote to memory of 2760 1872 Mmldme32.exe Magqncba.exe PID 1872 wrote to memory of 2760 1872 Mmldme32.exe Magqncba.exe PID 1872 wrote to memory of 2760 1872 Mmldme32.exe Magqncba.exe PID 2760 wrote to memory of 2428 2760 Magqncba.exe Ngdifkpi.exe PID 2760 wrote to memory of 2428 2760 Magqncba.exe Ngdifkpi.exe PID 2760 wrote to memory of 2428 2760 Magqncba.exe Ngdifkpi.exe PID 2760 wrote to memory of 2428 2760 Magqncba.exe Ngdifkpi.exe PID 2428 wrote to memory of 1780 2428 Ngdifkpi.exe Nkpegi32.exe PID 2428 wrote to memory of 1780 2428 Ngdifkpi.exe Nkpegi32.exe PID 2428 wrote to memory of 1780 2428 Ngdifkpi.exe Nkpegi32.exe PID 2428 wrote to memory of 1780 2428 Ngdifkpi.exe Nkpegi32.exe PID 1780 wrote to memory of 2156 1780 Nkpegi32.exe Nckjkl32.exe PID 1780 wrote to memory of 2156 1780 Nkpegi32.exe Nckjkl32.exe PID 1780 wrote to memory of 2156 1780 Nkpegi32.exe Nckjkl32.exe PID 1780 wrote to memory of 2156 1780 Nkpegi32.exe Nckjkl32.exe PID 2156 wrote to memory of 2244 2156 Nckjkl32.exe Niebhf32.exe PID 2156 wrote to memory of 2244 2156 Nckjkl32.exe Niebhf32.exe PID 2156 wrote to memory of 2244 2156 Nckjkl32.exe Niebhf32.exe PID 2156 wrote to memory of 2244 2156 Nckjkl32.exe Niebhf32.exe PID 2244 wrote to memory of 1720 2244 Niebhf32.exe Ncmfqkdj.exe PID 2244 wrote to memory of 1720 2244 Niebhf32.exe Ncmfqkdj.exe PID 2244 wrote to memory of 1720 2244 Niebhf32.exe Ncmfqkdj.exe PID 2244 wrote to memory of 1720 2244 Niebhf32.exe Ncmfqkdj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe"C:\Users\Admin\AppData\Local\Temp\a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Nlhgoqhh.exeC:\Windows\system32\Nlhgoqhh.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 14023⤵
- Loads dropped DLL
- Program crash
PID:1968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD528a97cee53e6afd377d712584ac181cb
SHA1562d4cd520ab2f2199e4ab2d59e6dcfb7b133fa6
SHA256df08a6621ed125963f1f5c14fb61d697ec9a223b28ee1a5721b010d775cf1df8
SHA51238bab395748320bd22254417160289896574a4c39a6c16bbd929b8f5780857d3042e9961472d55255faf4bdf0c30bc8fa221dba52e293488b230280de3f441fb
-
Filesize
128KB
MD547e04d743e396ae654961c875eabe290
SHA16d7fbf49c426d6f5ef2ee243b14c090718339124
SHA2564165bc506f98402eaab798374387219df08725e0de9208855f6751023d17b23c
SHA512df409386a27024477d9c8323acca4ce3813bfe3ee4f786aa26d87648d45e85ae4f2b3c1d4bd16fe6996e8da6dd3a30ab16a08ce5d151cc3979c0cbdcbe5239ca
-
Filesize
128KB
MD52e5e6751206c8f82146621166f831db0
SHA145a754abd57d537bcaa5bc6f0c507cc8138d360c
SHA256999f299976e314ff95bc6fb5238151aabe50f2ad2fe0baf282a3550e177d7c27
SHA5129c5ae70e3eb0781e2b0b1324887d57cde2ec359a5b4ff643b6bd8f36e4ff3ea196734411a1781dd9efd66f64de5e03706d83f2925c6b9f426998da5f16497185
-
Filesize
128KB
MD555249e138f19a7f697d1b68b03ff7aa0
SHA1fed601f136b6274fd3da3c21ea711fcae8bf31b0
SHA256289f887dd8b8f81473f66a2424a86186f6b31d4d8dd7dbbc2697a68f39883882
SHA5128a04d3a0a6383b07168cebdf99c3a15cf851baa794ecba181404d1d4bedb3eac7fc44dc4ef5a080bdb33713c13b3d20f4a425f719d418c0de15bc64737c2e218
-
Filesize
128KB
MD513c8ac61e0146b57c3d0f656c5a89c88
SHA1a861a716e207bd880c5189e76439296caa0c3046
SHA2567aa041425c5200fee224127ecdcbcf0771be618e5e2edd4b33200e21821d29e1
SHA51238995310e1d0540494a9e7b1a6eb3d5b389e1d71c31dbbc14a0e289ff916277c868ce4149a728d18f9c163f54af9083f2404eb9fe8fb93bcdea20811b9b33972
-
Filesize
128KB
MD518a347c57fe7cbaf65059a66eda070b2
SHA164e1e742805f5e8a02245af17c34553808ef27af
SHA2565626313095c213e759f9af08bbec477c462ba76e0c6b47c5725e736b767aa6d7
SHA5126fba8a0f11fdf7c688d8e114268cc503834845786ab94c55afd3501ca2507a7b12101459077850577700d710bd8ca6608b3884a1d3f52b77e3bcbadf3ec8a5ef
-
Filesize
128KB
MD59d0d809ff9a48da5a751101f436a4692
SHA1048d96d05b1300fa09517a1f0792975173ad0835
SHA2564a2d431e373ad1a23a97bf8fab4e677b00eb23404a73f2f24732e456ccbd3cf3
SHA51253ecf3483b86a78be20815b948b060189363735aa0f87fe9322a0e2de9b192245da2c7ee832df45a1d9884b18087d2de14e3abe71101899c0263a3bd43accb84
-
Filesize
128KB
MD58ec8c163f4d3bef88a8ab00e061d6596
SHA114821db83f57ec7b5243fed897cb96c0de5b3cd4
SHA25628ddce00db0e40121b9456295e881172467bdf2b4fa2bb9fac368f4a4d9a6d6e
SHA512c8a68e10dfbd0908c2107323e28c4830d04a58a268a267bf7fc13e4467798880d0d5ec1fe22d7775015c75bc5e1b95f636e08888a0b70fe0a24a864b2e8e42ba
-
Filesize
128KB
MD52e33e3e1bcb9da6c2ebfcbe6e729fc27
SHA1ac59ac74c6b43c67f76eec1e6864bb01b1d7d944
SHA256d1a2b2b3d6f3b3d9da21127534f58812bb1e44b78fc566ffb015cd56f79854f4
SHA512975acfaa0495c5d5c854e9800bb48b565ce01c5cfac29a2b2ccaa281d8c3cd5f6ae835f9ccdd4d1a2b0cbeb6785e560d52887a52716842c555becd7d430f8728
-
Filesize
128KB
MD5b4f1a11ac9f5a2528d54332bceff25d0
SHA1e8626034b7ee64f0b6775563d194de9fe81e30a7
SHA25600c3fab8ca976146055ac4bef9e3aaf787af3a2e7b822bdfdf409485c1f0402f
SHA512dfa8a0672db10a92b01656a398088e3b8ee01a9ebf05b3682495a45d962e4a8ef541e6430ffba3ccd47b4a9480dbbfe242d3ee28e9ef7cbf34f53cd8bc1a8773
-
Filesize
128KB
MD5d32ca2fd9928e86d6b2030770c63ca63
SHA1f29d4ab75ffc90f298f91603a68ffd037cc199b1
SHA256b8067d75b74a245c44cff8ff9aa5ed173471d5aaf57be1a3d7888ef2a8797cbb
SHA5125aa5346dad1d3541dc21346c54b5642c5c98335103b632e427d227737448a7498c494941066787c80046b14dc32e3a31392f16eedec4fe9cdc392c4e615bf5c9
-
Filesize
128KB
MD5a7ffd4c44efe97cbff8a8533635f8fb8
SHA1e97b3618979c7fcf94b181b55d92006107c906dd
SHA2567f2e695ec4c0ab0c4d8d4ea41cb7e1ada3205a2d5ba9c9b45a25782d1e3d69a0
SHA5122836c4d5ca35b1b1ad4578fffc9b8d1903f87256a2a1c5411ce1d1fffefda7ffaddffe709a35ae27363d719974a8e9eb3ac8c3ca6c4b4ca073122ab538251974
-
Filesize
128KB
MD5c1a9f88d00dc2a1f2d8a5c54589115f9
SHA15f38e1a603fac4fb7a72853a9d00695ea3491bf0
SHA256eec831d7c44ea13342b006716fd6fb1504c424b57952d9d725b1ba7df59589d4
SHA51251b0cedbfecf05df7a2fbba5fc1b4b8e679beb0ca96e7612c2a36af503fdd6c98ce8a6235a8121b0476b3c1ce3d16271536779c2da993fb7d0318789da2eb3f8
-
Filesize
128KB
MD522a43c838f893ab9c6f8b9b114d34f38
SHA1b9483d37f1668f47985e0c2e7a1f2d59941dbd7e
SHA256952c2f608ecff5005dd5eb18c48c03d7c15e0504589d61d260360cf40007d767
SHA51202c5d33fb05cb49be539409122bd014ce091e542664d3f2d276d3d64f9d0a10b524ed7cd7903ed85002cf0caed9e6875447361355d63c82991d304135b88762f
-
Filesize
128KB
MD5e873de98f6ff8333718162f1db890f93
SHA1e8a529e16f6c76bee4ef717b896a99d1a2b0ec07
SHA25645db17eb6e74f1acca3276f3528a12dbb5d9a3677e667750ccb765701c019ce6
SHA5129b4d72ad60dd3757e8e02742e7c04579b0f70e6abbc224d8661df9024dfc90be08c87ca71b4429ff806d69dfee3e2b0f8d0420efc94f8422f2b620a337ca5273
-
Filesize
128KB
MD53714b95ffebfecc0ca6daae68741473c
SHA1a63ee32001d35be19e7be3fe29fcd331547c812a
SHA2564a5f76fcdb6ea558caf9947d5ca0dcd8d085f31eff492463ee280d760831b5db
SHA51266fa3ee4dbcc24fdc7778302b3b410f29996fd1ce49dd8e214234691e05cde3c8ce1341575a26b0e61eaf7dbb206a0d5c297104e4622648b44ac63366c21398b
-
Filesize
128KB
MD54496c8f50b26df5a3ea1f556f0b6fa13
SHA1f5a9295ea396e9940d06b01ba6ff7ce485244c6e
SHA256dbca79be5b16889cf72121e33b1a91b8dc619ba312849173bfbf818dd0ea13a1
SHA512997e4ad4346763caeb416157eb99ab6f614f619480285ad90939bb77df323decafce0c6600f5c88ce467f94a123427850fb2230755620bf7a4ae00bc1cf2afbe
-
Filesize
128KB
MD5a991958839e2cd9264c534d25a15d47b
SHA189a699ff838d9689db9b728eb228df8a83d3fb86
SHA256a2ca5ec706d8c7141713bcd936d9c8305f4099c4107937684d854693857c8847
SHA512a86ea948670278eb68826e4fccf14a0b8ae79597f35c27e03733773bf106c88199017e25021445dc2319f64bcac0ee935c5b4bf84ba8daef0762affa415d9560
-
Filesize
128KB
MD5579f64a8ac4decd0e3ad21da0518a838
SHA13f635b2297235d6d61e0f5a21d914ee42a9cf6e2
SHA2568ed71a8ec4b46b939641b14b3e1ca4fb3000733504b0955faba4d1fb517cee56
SHA512328323fc2fb6eb952ef882214aa6891aef46c3cb04ba7a9745082d7bc6304a39dc6d0d36c15d71bca7198f90a0a27ac38c917810fe16c21a3785de469e757a85
-
Filesize
128KB
MD55cd92844641ac1273a6b912b0b863ebd
SHA1c875c17cd65f9501200094c2dca114011b9718cd
SHA256f962335f2b4295391a2ef3846126b29aad506a359e827413e5deb799d8c1ce6e
SHA5129b9d70fa2b91c455c70bd3df42379bd41522a7cabe7daa4711575c356bfec83af481bfea4b760cf4a98bd2914e8d3408cc06c4c82a733a687eac20aeb6aeb9b0
-
Filesize
128KB
MD58537c58d2ef8b830e2684b4272da3f36
SHA1c13349a1d5d0651e3962d7a350d2c3bfae917d33
SHA256d167e9cc3c9fb354028496ae3d663448079a13a596978bd60c20b751c54c16c9
SHA512f403c643e26487ffb41f2742a6a9c056da87adcf60ff8a7717dfdfe42d961860e485401ceac3dff5a165c48ff0aaec035d71563d92350988991e4c6bed4f8f72
-
Filesize
128KB
MD5c2595a1db9aede63ed9e3d8ea36d84a4
SHA18770395a8adc8fd53b6a7b4e592c78aa2196def3
SHA256eb79f5f9a27d71372a1aa7b6a04973aec703af51eefb011c3ff1a6496844a625
SHA512ac49e03d5c636f0736dc0b8583444aa9f7aa3d7fdd62e90a71e575d8625358bb21159d536e263ce2385e9b5e02c7919db234711b24a77522a796ed17ea4f57ce