berbew | 1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Size

55KB
MD5

42c6d8871cd4429439fb8a2049447dbc
SHA1

8329618c36f07132752f0196c75d5068eae3d849
SHA256

1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a
SHA512

5192e07fa6017ed719cffa34e7dc2cdb4aea879b805bafc8db57acb32004c1145e89d7380758ea1748d8caf7ad806ad75921396c25e1da6fe7aeca7272588745
SSDEEP

1536:F+reujmD7SP+hlq3rycMN/Cf9NSoNSd0A3shxD6:F+hmH+0AYZY9NXNW0A8hh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojdpef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 16 IoCs

pid	Process
2564	Mhloponc.exe
2620	Mlhkpm32.exe
2616	Mdcpdp32.exe
2532	Mmldme32.exe
2540	Mpjqiq32.exe
1932	Nhaikn32.exe
1044	Nibebfpl.exe
1668	Ndhipoob.exe
2832	Ngfflj32.exe
2656	Niebhf32.exe
1944	Npojdpef.exe
1596	Ngibaj32.exe
2672	Nmbknddp.exe
1848	Npagjpcd.exe
3008	Niikceid.exe
2116	Nlhgoqhh.exe

Loads dropped DLL 36 IoCs

pid	Process
2092	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
2092	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
2564	Mhloponc.exe
2564	Mhloponc.exe
2620	Mlhkpm32.exe
2620	Mlhkpm32.exe
2616	Mdcpdp32.exe
2616	Mdcpdp32.exe
2532	Mmldme32.exe
2532	Mmldme32.exe
2540	Mpjqiq32.exe
2540	Mpjqiq32.exe
1932	Nhaikn32.exe
1932	Nhaikn32.exe
1044	Nibebfpl.exe
1044	Nibebfpl.exe
1668	Ndhipoob.exe
1668	Ndhipoob.exe
2832	Ngfflj32.exe
2832	Ngfflj32.exe
2656	Niebhf32.exe
2656	Niebhf32.exe
1944	Npojdpef.exe
1944	Npojdpef.exe
1596	Ngibaj32.exe
1596	Ngibaj32.exe
2672	Nmbknddp.exe
2672	Nmbknddp.exe
1848	Npagjpcd.exe
1848	Npagjpcd.exe
3008	Niikceid.exe
3008	Niikceid.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mhloponc.exe	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
File created	C:\Windows\SysWOW64\Fnqkpajk.dll	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Npojdpef.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mhloponc.exe
File opened for modification	C:\Windows\SysWOW64\Mpjqiq32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Nhaikn32.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Eqnolc32.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Mdcpdp32.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Aeaceffc.dll	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Nhaikn32.exe	Mpjqiq32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
File created	C:\Windows\SysWOW64\Diceon32.dll	Mpjqiq32.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Nhaikn32.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2124	2116	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmldme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhipoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhloponc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll"	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2564	2092	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe	28
PID 2092 wrote to memory of 2564	2092	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe	28
PID 2092 wrote to memory of 2564	2092	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe	28
PID 2092 wrote to memory of 2564	2092	1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe	28
PID 2564 wrote to memory of 2620	2564	Mhloponc.exe	29
PID 2564 wrote to memory of 2620	2564	Mhloponc.exe	29
PID 2564 wrote to memory of 2620	2564	Mhloponc.exe	29
PID 2564 wrote to memory of 2620	2564	Mhloponc.exe	29
PID 2620 wrote to memory of 2616	2620	Mlhkpm32.exe	30
PID 2620 wrote to memory of 2616	2620	Mlhkpm32.exe	30
PID 2620 wrote to memory of 2616	2620	Mlhkpm32.exe	30
PID 2620 wrote to memory of 2616	2620	Mlhkpm32.exe	30
PID 2616 wrote to memory of 2532	2616	Mdcpdp32.exe	31
PID 2616 wrote to memory of 2532	2616	Mdcpdp32.exe	31
PID 2616 wrote to memory of 2532	2616	Mdcpdp32.exe	31
PID 2616 wrote to memory of 2532	2616	Mdcpdp32.exe	31
PID 2532 wrote to memory of 2540	2532	Mmldme32.exe	32
PID 2532 wrote to memory of 2540	2532	Mmldme32.exe	32
PID 2532 wrote to memory of 2540	2532	Mmldme32.exe	32
PID 2532 wrote to memory of 2540	2532	Mmldme32.exe	32
PID 2540 wrote to memory of 1932	2540	Mpjqiq32.exe	33
PID 2540 wrote to memory of 1932	2540	Mpjqiq32.exe	33
PID 2540 wrote to memory of 1932	2540	Mpjqiq32.exe	33
PID 2540 wrote to memory of 1932	2540	Mpjqiq32.exe	33
PID 1932 wrote to memory of 1044	1932	Nhaikn32.exe	34
PID 1932 wrote to memory of 1044	1932	Nhaikn32.exe	34
PID 1932 wrote to memory of 1044	1932	Nhaikn32.exe	34
PID 1932 wrote to memory of 1044	1932	Nhaikn32.exe	34
PID 1044 wrote to memory of 1668	1044	Nibebfpl.exe	35
PID 1044 wrote to memory of 1668	1044	Nibebfpl.exe	35
PID 1044 wrote to memory of 1668	1044	Nibebfpl.exe	35
PID 1044 wrote to memory of 1668	1044	Nibebfpl.exe	35
PID 1668 wrote to memory of 2832	1668	Ndhipoob.exe	36
PID 1668 wrote to memory of 2832	1668	Ndhipoob.exe	36
PID 1668 wrote to memory of 2832	1668	Ndhipoob.exe	36
PID 1668 wrote to memory of 2832	1668	Ndhipoob.exe	36
PID 2832 wrote to memory of 2656	2832	Ngfflj32.exe	37
PID 2832 wrote to memory of 2656	2832	Ngfflj32.exe	37
PID 2832 wrote to memory of 2656	2832	Ngfflj32.exe	37
PID 2832 wrote to memory of 2656	2832	Ngfflj32.exe	37
PID 2656 wrote to memory of 1944	2656	Niebhf32.exe	38
PID 2656 wrote to memory of 1944	2656	Niebhf32.exe	38
PID 2656 wrote to memory of 1944	2656	Niebhf32.exe	38
PID 2656 wrote to memory of 1944	2656	Niebhf32.exe	38
PID 1944 wrote to memory of 1596	1944	Npojdpef.exe	39
PID 1944 wrote to memory of 1596	1944	Npojdpef.exe	39
PID 1944 wrote to memory of 1596	1944	Npojdpef.exe	39
PID 1944 wrote to memory of 1596	1944	Npojdpef.exe	39
PID 1596 wrote to memory of 2672	1596	Ngibaj32.exe	40
PID 1596 wrote to memory of 2672	1596	Ngibaj32.exe	40
PID 1596 wrote to memory of 2672	1596	Ngibaj32.exe	40
PID 1596 wrote to memory of 2672	1596	Ngibaj32.exe	40
PID 2672 wrote to memory of 1848	2672	Nmbknddp.exe	41
PID 2672 wrote to memory of 1848	2672	Nmbknddp.exe	41
PID 2672 wrote to memory of 1848	2672	Nmbknddp.exe	41
PID 2672 wrote to memory of 1848	2672	Nmbknddp.exe	41
PID 1848 wrote to memory of 3008	1848	Npagjpcd.exe	42
PID 1848 wrote to memory of 3008	1848	Npagjpcd.exe	42
PID 1848 wrote to memory of 3008	1848	Npagjpcd.exe	42
PID 1848 wrote to memory of 3008	1848	Npagjpcd.exe	42
PID 3008 wrote to memory of 2116	3008	Niikceid.exe	43
PID 3008 wrote to memory of 2116	3008	Niikceid.exe	43
PID 3008 wrote to memory of 2116	3008	Niikceid.exe	43
PID 3008 wrote to memory of 2116	3008	Niikceid.exe	43

C:\Users\Admin\AppData\Local\Temp\1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe
"C:\Users\Admin\AppData\Local\Temp\1e3664e0415fd3d2b1b141a932701715ba38c7e40d0fa31c8dcae9b7cb1c9d9a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\Mhloponc.exe
  C:\Windows\system32\Mhloponc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\Mlhkpm32.exe
    C:\Windows\system32\Mlhkpm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\Mdcpdp32.exe
      C:\Windows\system32\Mdcpdp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mhloponc.exe

Filesize
55KB

MD5
9b670a22fa6e2193bef1cd16a5904aa0

SHA1
85c56aa97cf41c3fd3d7d7981807c2e1a9515d42

SHA256
43e1ade4de957b1d5c06d04f3cf15c24627c24d1f346fc537207a7ed1de9dd88

SHA512
384a236f9bece4108cf44935c8ff71199b70eedfacb1116c8775a3516efa7c1b7f70b69286b8b0eab21f3b81badad20ed03a9d9bea5de985171b2c0e9e253074

Download Submit
C:\Windows\SysWOW64\Mlhkpm32.exe

Filesize
55KB

MD5
5da46060fa9462408d3287eebf7890b7

SHA1
028ce020934838b80abfdc0363a135de90049734

SHA256
71a67e7487ebbe3d5ef180badbb572109c8b6256a99e9f7e913936e33997d1db

SHA512
d317b87082e7b4eea0696ae1ee29ff01b84c7f35e94499d53caec6e4f5c80f6e18f30334b7d0576eae6af6a6c9200ce4679e8bc697895dd16a168261e0af451c

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
55KB

MD5
1c9d69c569caa0dcbf95f2d356359720

SHA1
0795e75cd3cf2387dfc21d42aeee86d7562ec5d3

SHA256
130ab9ceed8ce8c2d7b626399e238d6a664537f7f5848aa4af5627b747d331bb

SHA512
600b752f20d1c636170fb9cacc57716e6bb27f3289084fbe332d0280925074635cfc2ec8abd5dbe067f9246258aa8a9579e678da4f2d3b7f594e076d875e2dbe

Download Submit
\Windows\SysWOW64\Mdcpdp32.exe

Filesize
55KB

MD5
c7790a0a9c9e9ab37d48652efade67ac

SHA1
912b4a6779c10250b5152f1ae2c75f36354af02e

SHA256
f67169a3e939062e98c45f84038708f851df7630ee0f0675c19c1823852a689a

SHA512
4f6a8ac0defa5cf3243d5881953f86d9ed34f16180e42ea3fd7eca6083f4f4d7cc6d7fc221d26943dc4f930874380cd0a31f7fdd7496d9d22fd59d89f6354c1f

Download Submit
\Windows\SysWOW64\Mmldme32.exe

Filesize
55KB

MD5
71b7bed85f257a996b66ba536bce613b

SHA1
9d97e21fdcc652b101fa4c4fee94a7b8b08ef337

SHA256
19d06fe79f0d03a8cfed5c02a1d5442c191a67cc84003ad43a5ec4b6bcd61702

SHA512
70d72f1d7dc885dcf6c92639f529733215650d0f0e383c542c1881fe72f41cc63c89ac21e106fedb8b5d272c72130ea9cf8d6be4b3b66c2000a03ca7ab460958

Download Submit
\Windows\SysWOW64\Mpjqiq32.exe

Filesize
55KB

MD5
4db7af2696dc8a89758d49a374ae4119

SHA1
19858499ae074b3b0a3923733ca9271f0ddc4f0a

SHA256
769585c98819b413de16a5a8c6390c79236d4945f806611b6d9e211a55b42611

SHA512
1be990a4a86a97b623a10ffaf540da315dd64c0f4814908a18b0a9a054995756593d524e1a336a3f794d5d82763d01b68822f2f85a42fa642f87819f2f3c681b

Download Submit
\Windows\SysWOW64\Ndhipoob.exe

Filesize
55KB

MD5
c039520b8e30c67a9e5847ce35c8ebd5

SHA1
ad8ea0a8f3bdd143bdddc21804c8f82c3099ec42

SHA256
08a4e0fb3ff52cd621f39068bcaa6cc64de81c3e14172070832a5eba2c65b737

SHA512
fa19a6a46ecf04bc97219887aaa03d1feda350889c2502ae0bd6aa2b7b00ca17beba1d168efda4d6640a093d92bb354afe71cf76f7960f5afa91aba1c8549f08

Download Submit
\Windows\SysWOW64\Ngfflj32.exe

Filesize
55KB

MD5
b061a8441518b4f20e5060dfff77afbc

SHA1
05e0e07fcd87475a9f8c426d02192f440ed47188

SHA256
b01dfb5ba2b612e06c9c773a9fb1e6fd9aac1df3e14dd7d8d3bbe510a1d73a84

SHA512
db98b86747478011e01c47bd3613365a2e9fdacffa7a96d50e344b2d162417fd41a8121eb11bdbfaf9816fb9775c161361488ae372bb8649c9cb049e4e8ee122

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
55KB

MD5
35796dd394ea4ac9b885c161bb15b1d4

SHA1
0bb378f30a1481643755203519b4e0237886ef86

SHA256
2e086e3df53f37b662e23a3c8c17127cb869266c4d7efe5d0aa817b1d480b8e6

SHA512
1ca9c474b8a7fa3850446c0d2acd76a02007d1e02435813f3b758da0978b8a9578fc5072d9a0dfb55f08a0f7a145ae4324e36d5a994d8599243f94306722eb33

Download Submit
\Windows\SysWOW64\Nhaikn32.exe

Filesize
55KB

MD5
466d5f5e6959e4434589e6dd8e6c227d

SHA1
f7635e63b52a2ba2b46f2918263d2d9b6eb1b841

SHA256
9352c2f088e06dd070561a081df4e37f9d1e0a42ffb8ecd519c067500a49d09b

SHA512
9c832322ef7b0a88d8123d8187e0d0c32d1f05898e797c01d2c11a4371eaa296a0d4e466c7d1733e3f6e0ba6196ea091d7abbfc10aa0fcaf31e1ce58a7053805

Download Submit
\Windows\SysWOW64\Nibebfpl.exe

Filesize
55KB

MD5
fcab754add7a5eaa1975d6f85471e454

SHA1
0e9d40e6e85d96f65d0a119337ea97f369e0c0ad

SHA256
fd128474605d4e6db9bbac0e0f224270bc6d3a8b33a901aa08b94a4ed6ab00fb

SHA512
6be0eddfa27c5278fc775599301d992a904ecec5b9f55b8dc78569864f4eb445aa4121626e015232121b1dc0c25ccfd14817cb4e19df6c7c2ab85c851641949f

Download Submit
\Windows\SysWOW64\Niebhf32.exe

Filesize
55KB

MD5
3fb2a568264254079b1eccdf5971b23b

SHA1
41c757e961318e1b8294d6f13d347d4390b60bd0

SHA256
2cd798701fec68dd5eab81faf972b4b72d53b6a086787d2ab5b5afb6aae6dcb6

SHA512
67e5841f9c7f6e107809af10a3549c74adb4a9f236095627847be01c719ddaac3eef32ee5745cae41c9549537ca1036aea545227d3f934e89cbf1b0b481b617e

Download Submit
\Windows\SysWOW64\Niikceid.exe

Filesize
55KB

MD5
d836f3efc05d82fbe54407ac1aa7b51f

SHA1
dbdc68b6d501ecdef2d82e4664da132025223a94

SHA256
27b5d943a2994a4e0123d4950b316d56aae2972857e5c54a5da462796352e95d

SHA512
bfac7b3eca3c5342576ac811c7dc238f871c5980912fc56467ff81ef38394eee1dd8058789731d90a8789b76beb1212562fabc27f3f6bbb3d65de5ce60018e19

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
55KB

MD5
4a7d334fd5749514acd1a4affaf443cb

SHA1
0707d2e935bb4b387b098f49d11a054f6abe18b5

SHA256
876fdc4547cf33f5a6d494b3771c6f49038d2ed301c68e0ceb023fc3c3d6b87f

SHA512
70a111a696cd6f0079ef737bc692260da9a55f943a40a44ef10d446eb996dc46833597db8d8d57439be37c1f0e3597b4537f6df64b52216a3cffa711be70d0c3

Download Submit
\Windows\SysWOW64\Nmbknddp.exe

Filesize
55KB

MD5
a84d227cffbaa20b6981823fb7860d7c

SHA1
b375d397f15a1ac32a1e30d557a68a9099bb4d3a

SHA256
eb87ed88334cef25593cedf6bf7d9736ece99a2fa013cadfaf5f403b2185c763

SHA512
a840d9b6a45d6b21852e62879f7aa0eeccf67a0028d6f1b8196c278482a310d7c4a0c77bb8e671aac5f38aad95b41b042f3b2ff9fa0b765b4785f16f4fd72b44

Download Submit
\Windows\SysWOW64\Npojdpef.exe

Filesize
55KB

MD5
0bb6a612170ca8acd21a742f58b573bd

SHA1
aecca9b2f7817c2fe7f52602e4a414c5c1bf96b4

SHA256
a5c536797759f4db3a6c2368a0b1d4a222907ba6cefe756ba4018c2793bafd02

SHA512
54f26e898a1626a538b094e921af2d25a45ad4d1f1eca61f913bbc34d0caf64cc209a4981de71fd133689032d365766909550792a198697d269a00fb910da1c2

Download Submit
memory/1044-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-178-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1596-173-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1596-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-116-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/1668-122-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/1668-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-201-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/1848-193-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-90-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1944-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-164-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2092-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-17-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2092-24-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2092-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-68-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2532-62-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2532-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-53-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2616-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-39-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2620-40-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2620-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-145-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2672-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads