berbew | 60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Size

364KB
MD5

64be96deac971ba9d07a2c71d1542228
SHA1

d56e1159595dcc9950055ded51f5a3aedc3ab7a4
SHA256

60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f
SHA512

f88bf1315a5070ce76ef3ee1d865d78c560f7616bb3ad2f42aea64e47a09fa5eb3426413bbc1090ea4f529ebb898d4c7ae64a645ce0dd3f302046477a8ccd7a4
SSDEEP

3072:+9xQAXBNJN24ho1mtye3lFDrFDHZtOga24ho1mtye3l1m45z7mqZz24ho1mtye3b:B6pisFj5tT3sF1m45+qZ4sFj5tT3sFq

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Linphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 20 IoCs

pid	Process
2684	Lgmcqkkh.exe
2564	Linphc32.exe
1680	Laegiq32.exe
3060	Lccdel32.exe
580	Libicbma.exe
328	Mpmapm32.exe
2076	Mieeibkn.exe
2088	Mbmjah32.exe
1252	Modkfi32.exe
2828	Mdacop32.exe
2872	Mlhkpm32.exe
1736	Mofglh32.exe
2344	Maedhd32.exe
2708	Nckjkl32.exe
2632	Nkbalifo.exe
1072	Niebhf32.exe
1900	Nlcnda32.exe
2164	Ndjfeo32.exe
1644	Nhllob32.exe
2196	Nlhgoqhh.exe

Loads dropped DLL 44 IoCs

pid	Process
2736	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
2736	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
2684	Lgmcqkkh.exe
2684	Lgmcqkkh.exe
2564	Linphc32.exe
2564	Linphc32.exe
1680	Laegiq32.exe
1680	Laegiq32.exe
3060	Lccdel32.exe
3060	Lccdel32.exe
580	Libicbma.exe
580	Libicbma.exe
328	Mpmapm32.exe
328	Mpmapm32.exe
2076	Mieeibkn.exe
2076	Mieeibkn.exe
2088	Mbmjah32.exe
2088	Mbmjah32.exe
1252	Modkfi32.exe
1252	Modkfi32.exe
2828	Mdacop32.exe
2828	Mdacop32.exe
2872	Mlhkpm32.exe
2872	Mlhkpm32.exe
1736	Mofglh32.exe
1736	Mofglh32.exe
2344	Maedhd32.exe
2344	Maedhd32.exe
2708	Nckjkl32.exe
2708	Nckjkl32.exe
2632	Nkbalifo.exe
2632	Nkbalifo.exe
1072	Niebhf32.exe
1072	Niebhf32.exe
1900	Nlcnda32.exe
1900	Nlcnda32.exe
2164	Ndjfeo32.exe
2164	Ndjfeo32.exe
1644	Nhllob32.exe
1644	Nhllob32.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Linphc32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	Maedhd32.exe
File created	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Linphc32.exe	Lgmcqkkh.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Eeejnlhc.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Fhhiii32.dll	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Fdilgioe.dll	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
File created	C:\Windows\SysWOW64\Macalohk.dll	Mofglh32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Maedhd32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Laegiq32.exe	Linphc32.exe
File created	C:\Windows\SysWOW64\Aadlcdpk.dll	Linphc32.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Nhllob32.exe	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Nhllob32.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Njfppiho.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Nkbalifo.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkbalifo.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Aaebnq32.dll	Lgmcqkkh.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Kjbgng32.dll	Nlcnda32.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Lgmcqkkh.exe	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mbmjah32.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Linphc32.exe	Lgmcqkkh.exe
File opened for modification	C:\Windows\SysWOW64\Lccdel32.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mdacop32.exe
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	Laegiq32.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Mofglh32.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Pdlbongd.dll	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Libicbma.exe
File created	C:\Windows\SysWOW64\Ndjfeo32.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nhllob32.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Mbmjah32.exe	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Maedhd32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmcqkkh.exe	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe

Program crash 1 IoCs

pid	pid_target	Process
1276	2196	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjfeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpmapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lccdel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmcqkkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Linphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laegiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkbalifo.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaebnq32.dll"	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhllob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeejnlhc.dll"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilgioe.dll"	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Linphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libicbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"	Linphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nhllob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Mdacop32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2684	2736	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe	30
PID 2736 wrote to memory of 2684	2736	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe	30
PID 2736 wrote to memory of 2684	2736	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe	30
PID 2736 wrote to memory of 2684	2736	60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe	30
PID 2684 wrote to memory of 2564	2684	Lgmcqkkh.exe	31
PID 2684 wrote to memory of 2564	2684	Lgmcqkkh.exe	31
PID 2684 wrote to memory of 2564	2684	Lgmcqkkh.exe	31
PID 2684 wrote to memory of 2564	2684	Lgmcqkkh.exe	31
PID 2564 wrote to memory of 1680	2564	Linphc32.exe	32
PID 2564 wrote to memory of 1680	2564	Linphc32.exe	32
PID 2564 wrote to memory of 1680	2564	Linphc32.exe	32
PID 2564 wrote to memory of 1680	2564	Linphc32.exe	32
PID 1680 wrote to memory of 3060	1680	Laegiq32.exe	33
PID 1680 wrote to memory of 3060	1680	Laegiq32.exe	33
PID 1680 wrote to memory of 3060	1680	Laegiq32.exe	33
PID 1680 wrote to memory of 3060	1680	Laegiq32.exe	33
PID 3060 wrote to memory of 580	3060	Lccdel32.exe	34
PID 3060 wrote to memory of 580	3060	Lccdel32.exe	34
PID 3060 wrote to memory of 580	3060	Lccdel32.exe	34
PID 3060 wrote to memory of 580	3060	Lccdel32.exe	34
PID 580 wrote to memory of 328	580	Libicbma.exe	35
PID 580 wrote to memory of 328	580	Libicbma.exe	35
PID 580 wrote to memory of 328	580	Libicbma.exe	35
PID 580 wrote to memory of 328	580	Libicbma.exe	35
PID 328 wrote to memory of 2076	328	Mpmapm32.exe	36
PID 328 wrote to memory of 2076	328	Mpmapm32.exe	36
PID 328 wrote to memory of 2076	328	Mpmapm32.exe	36
PID 328 wrote to memory of 2076	328	Mpmapm32.exe	36
PID 2076 wrote to memory of 2088	2076	Mieeibkn.exe	37
PID 2076 wrote to memory of 2088	2076	Mieeibkn.exe	37
PID 2076 wrote to memory of 2088	2076	Mieeibkn.exe	37
PID 2076 wrote to memory of 2088	2076	Mieeibkn.exe	37
PID 2088 wrote to memory of 1252	2088	Mbmjah32.exe	38
PID 2088 wrote to memory of 1252	2088	Mbmjah32.exe	38
PID 2088 wrote to memory of 1252	2088	Mbmjah32.exe	38
PID 2088 wrote to memory of 1252	2088	Mbmjah32.exe	38
PID 1252 wrote to memory of 2828	1252	Modkfi32.exe	39
PID 1252 wrote to memory of 2828	1252	Modkfi32.exe	39
PID 1252 wrote to memory of 2828	1252	Modkfi32.exe	39
PID 1252 wrote to memory of 2828	1252	Modkfi32.exe	39
PID 2828 wrote to memory of 2872	2828	Mdacop32.exe	40
PID 2828 wrote to memory of 2872	2828	Mdacop32.exe	40
PID 2828 wrote to memory of 2872	2828	Mdacop32.exe	40
PID 2828 wrote to memory of 2872	2828	Mdacop32.exe	40
PID 2872 wrote to memory of 1736	2872	Mlhkpm32.exe	41
PID 2872 wrote to memory of 1736	2872	Mlhkpm32.exe	41
PID 2872 wrote to memory of 1736	2872	Mlhkpm32.exe	41
PID 2872 wrote to memory of 1736	2872	Mlhkpm32.exe	41
PID 1736 wrote to memory of 2344	1736	Mofglh32.exe	42
PID 1736 wrote to memory of 2344	1736	Mofglh32.exe	42
PID 1736 wrote to memory of 2344	1736	Mofglh32.exe	42
PID 1736 wrote to memory of 2344	1736	Mofglh32.exe	42
PID 2344 wrote to memory of 2708	2344	Maedhd32.exe	43
PID 2344 wrote to memory of 2708	2344	Maedhd32.exe	43
PID 2344 wrote to memory of 2708	2344	Maedhd32.exe	43
PID 2344 wrote to memory of 2708	2344	Maedhd32.exe	43
PID 2708 wrote to memory of 2632	2708	Nckjkl32.exe	44
PID 2708 wrote to memory of 2632	2708	Nckjkl32.exe	44
PID 2708 wrote to memory of 2632	2708	Nckjkl32.exe	44
PID 2708 wrote to memory of 2632	2708	Nckjkl32.exe	44
PID 2632 wrote to memory of 1072	2632	Nkbalifo.exe	45
PID 2632 wrote to memory of 1072	2632	Nkbalifo.exe	45
PID 2632 wrote to memory of 1072	2632	Nkbalifo.exe	45
PID 2632 wrote to memory of 1072	2632	Nkbalifo.exe	45

C:\Users\Admin\AppData\Local\Temp\60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe
"C:\Users\Admin\AppData\Local\Temp\60935eece629d6dfdf89023eae5dd178a7a4f5a1da28838f98efba6f7ba6442f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\Lgmcqkkh.exe
  C:\Windows\system32\Lgmcqkkh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\Linphc32.exe
    C:\Windows\system32\Linphc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\Laegiq32.exe
      C:\Windows\system32\Laegiq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Nkbalifo.exe
        
        C:\Windows\system32\Nkbalifo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lccdel32.exe

Filesize
364KB

MD5
699612546613494796b4922e6393cb55

SHA1
f4e67db088eab2b36dd3abb705191e044f9559f5

SHA256
753ec291c9b825fe87ed20b2c2d562497af4220e36f90af85e0145442b1d4940

SHA512
0fceedead929049ae8ea59eb4ce5cb68c50a046b64d25a3b0852006e420dbc11af6eb4fe6c4eb95c5147e73091a6a74da8fa48ef8ce2a60c2d3ce06408d63ad1

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
364KB

MD5
36ed6d3fc89a6b5659a2a767b3f456a5

SHA1
ff2f5d771ca5bf7072a43ce82e8811d1cae50048

SHA256
6279265cf6fb2e052fbaf8f9122ab600cd83a7a209f934af0d5f5d1116117761

SHA512
e668966717f4eca408ec880d3ec27fe1988e104edb8d87f74b3c7793482f11cff0390e0f58f09c0d261d5ec218046135ea72f7742e3b98d31e970f239c74b4f1

Download Submit
C:\Windows\SysWOW64\Linphc32.exe

Filesize
364KB

MD5
68977dc97b598f39adfabb34c9f8fb43

SHA1
efcd7dd1752df401ac981010ac67c0798f220468

SHA256
e7210f2567b3c63101a1e6680c0ffbcb800c2176111be68c6ba142493d6d910e

SHA512
9f55b60441f5b172bcb946a3a3f23fd09c2b216a3a45aec1f02573e02918b3e388225de1679d5eab4710f01fd4a88025dce469549a5d11130307078527e03001

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
364KB

MD5
69e8c68714f303f9c215985843bfb1a2

SHA1
71c31e60fc0d08f091a214abb4b9b2cbc68c6aba

SHA256
426c6630a7131b9c0de0b14be44d42e0035eae1be9d613a9f5e6af7afd02ea8b

SHA512
9c010c533c036daacfc17bbb5b91bee284126080237af4f5ba43a6f2a3853996bad71995d4be88eac0654f45b714ad8a633e5d79a60b37f99824194564e14cd2

Download Submit
C:\Windows\SysWOW64\Mbmjah32.exe

Filesize
364KB

MD5
e2b6241ea87703f85933ba30570c0411

SHA1
85b8aaf49e318700a1ec266099ab46153db5c8fb

SHA256
cee738370e8092a88f0038bfa215ce449c81fa67a0b88e5d6e490b791bf01bc5

SHA512
16880b1d6ba5d872898c9586cd56d09059ec60144662af9bb7b7362238dcc0c10311f22b9fc3dfb66d5657e91185cf9c0ffdcaed60aad10af161a94acc6ee7f0

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
364KB

MD5
00166bf6a6438ce6651095da651e83d6

SHA1
322bda8aeab3a8203944a6d508a022f78041f4fa

SHA256
b8e50bcfae4c8a8d3f938431a0b62b015f50e713086b04dced318b8bef2eb0cf

SHA512
5244882f67d8bed7badf9cd0666cc6c67553b8d300dc64a88cd1a9480321ccbd2bba6666c233f612825bd0f899756b251dab0980483d5a0c0853af8a7f6278a6

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
364KB

MD5
3168e885391f927704ee4244ac83e246

SHA1
192e87626998d8a21f0bbd728447c44b55efc68f

SHA256
2bd172c80561e2accd9df22e9e829c726ec6958981f36faca497a59ced4a3405

SHA512
1db03ccccc478809b11fa263ec368aa924381e38e2ed8cb22b04bcd3bd2493f1c0192d436d0e11f35e66c9814f315901fb33ad7106a457fe450050b8a478f03d

Download Submit
C:\Windows\SysWOW64\Mlhkpm32.exe

Filesize
364KB

MD5
92a844fcb81edd75e3d576715dcd82df

SHA1
3e33e34f9114f3ef4c54668d4f774337a0da84bd

SHA256
a2d293173f9ff768a29349f2750961bb8d2d9a58bb6cf2aaf1a3bde6b31ac454

SHA512
0eab2b6e15b6819caba0ace1dce20a0cb61a88c3491bc4af974d32a857bd105d87fae9a7253a757afd8f3391cce46513294bc69c2eb8b50f8b286ca81a8d6b51

Download Submit
C:\Windows\SysWOW64\Mofglh32.exe

Filesize
364KB

MD5
ecbe2a45d84396161f38934ce0ba20c0

SHA1
35af52a9ba04cbadd325b863c32ce2bc590c19a5

SHA256
20a7ef489116fed26da28226da0406a245e835a99211b5fae5ec125d0ca3bcf8

SHA512
50f5b99e662373e55fcbf5579365efb1662062fa4d17285312aaec0d04216bfe116bdc2cd17a8d3f29b547986437bd87226be0a7789a90739b651b251c7e9fba

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
364KB

MD5
2c02b3cd2c68c2fac93c8e241b0191af

SHA1
4d52be95c4aa21d9fea5511c3306f25fd9022235

SHA256
f82530d2a93129bc84452d5dfa9023e42bc5cce30205cd8b1b8e931b9a70c52b

SHA512
724d3002460a00d20d0e0532c082777cc83e6057f09a81ce9fa7edb8b079286833e4b96726760c20e2dfbbda9284d5f37ed0c8774f1647151643754d33008aa4

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
364KB

MD5
6e59b0ad30f991b453424734436833de

SHA1
a3df5c2bac16ee609daea2555c53f767166a0783

SHA256
0570e48159d915fb2a4a675b96ae9a7121d7936f35e74b59305e08772b0116dd

SHA512
22381b1377130ffeafd9869a445b57c1709dff9c02da8cd593f3a3d299f6eee96abb897289dd2516219d20a06c4a5e43065d328e0a44e2559a607355a66a8cf1

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
364KB

MD5
7e4cc410c8d796f8fa2c9ec384c979c9

SHA1
d8eca0f58867557d8d5dc8bd41557035eb8b8c33

SHA256
25369089e3f25e4168e0817a1b4deb0075485a2c62c7fcf2c1f7d0d2b53ac94d

SHA512
3a472619adc5125933bdf23c56d3b35808b8abd26650b27e2164284a1a7703339146edc5632ea1e516e42688c7309c4c13a4a38f488922925020dc0f16a77b04

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
364KB

MD5
8200ee6d2964df0be4af6d314d7bfd96

SHA1
6d2e8e074184c6c05de23514e627dc6a745dc475

SHA256
e183252f76b77dff467ce8fa4807ba80f997b6885b3963e7da8c8f94d8be9310

SHA512
31f0cb77db3acaa59c79960c7fbeb0543b681a4f0a8f4c14749aafee5039f43a89120c0a99cf7b5f945ac671d0c9a96c0fff045d47a5ca2605b9fab8d391bbee

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
364KB

MD5
10e5f87951b8251909d2bf5b4391d752

SHA1
c6cfa6179fe5f20fde61ac39d55b25cec65cd8a0

SHA256
a2bccd07bee32059486ed8e1e6cbad7becb1cbf0bb3b35f71214c888bd1028ca

SHA512
5a9ffc720bbe4ed7a36fb3e566062cf09ff2b8994beb39f81c817ce00ca6878754b09f1b4463327b1bd07b4db095a30faf5f533ec2ed32827ae0ff07ed92e8d7

Download Submit
C:\Windows\SysWOW64\Nkbalifo.exe

Filesize
364KB

MD5
5a384e02683b1228e56608068ba29ecf

SHA1
964a9dc15c9ac0a8079a47f9113ebe6d7196be3a

SHA256
a1ccde0a924319a587db34d9e770c098fb2c31ae20506bf34756212818337a95

SHA512
1903a6a52b82f16292fa68565ffc4fdddd71d68582acd7dda2146ca7b7eba18e6b324d30dc8cf414a3e92925e184cdeb9a55ed64aec685b9883f1cbfd7cf0011

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
364KB

MD5
1a6800f46063c27f3f1dde01e2ed99cb

SHA1
a07f84a576ced8ca25bc3719850901c200f0ac7a

SHA256
c419a33568218a5e755eff9b27e544e34c032ffdfc06fc9c4a4213fa2404a318

SHA512
2717c90d1b1842e3844fa85e78997fe63de94fb8ed6a4df02c7ad7e724b091417577ae0093e6b7a047948395d4c43595287b53005542ac5fd583df5e53f9bf21

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
364KB

MD5
4e32279bb99b13e2387a11ff19ab37a5

SHA1
617fc7d473b3eed3b7b2b9aea4c2935d4014bee2

SHA256
f6056c6cccb47c4c802cae8582f9d6842af181f69071b5584c8dd7ffffa6b190

SHA512
30f5f8297eec5d838d6c1bd1cb95510a893f8ca9ffb4d12a8cae28f8d0b7c3e81fbff3ff3516d204c66b2401a640e7ecec3aa2b20b406f824a4f5aa13ada243c

Download Submit
\Windows\SysWOW64\Laegiq32.exe

Filesize
364KB

MD5
ff79073a8652403fea4e960bdf78aea5

SHA1
7dcda068504757dbe8fc6b0cfa1e6cd634a71a12

SHA256
3889da4428081244197b51a0ac554f9bc066f4ff06bf3c4767ccadcbebbcc149

SHA512
c60674135e49c3d4d9147a43411d537b33b500764f1e23f4ab03a77e61c4c963b3d272abb17b42cc1041ffc9d7117a13dd6c9754c761378c04b573273a8cde85

Download Submit
\Windows\SysWOW64\Lgmcqkkh.exe

Filesize
364KB

MD5
bc50a5daa1e10277dfac6d7bf9811cea

SHA1
0e49a16b484c3f692960bb223c1ec1e59969c137

SHA256
b4c6e810c2f6a7a1832f374f408d9df95ea8a846168b815b74db7de65d3fc33a

SHA512
7d02a328c6456159fd1f94ac0da2b71c24b58869750213ed73eeb83353539f2d2a1d892b553116481dbe4795bd71766e0bdb3171d5227d360ec07a297bce9524

Download Submit
\Windows\SysWOW64\Modkfi32.exe

Filesize
364KB

MD5
5d3a9b517ffdfdaffb5018b060f45ad1

SHA1
7ec4e9f9a623894af3e4200d87b8e31c23053e02

SHA256
954617ca0caf1a125a7f6ff30c8a3ce26d7a0c7e420504a25f9cd7cee106f006

SHA512
a8b2086d9af8006a0b13b0b40e52cb816059153bb55f65067355ca68ff6752b33e0a60c49dcdeb3d90f18a562f7e5eeae260ee26e2ab9d40ff8caa49a31215ee

Download Submit
memory/328-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-76-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/580-79-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/580-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-225-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1072-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-130-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1252-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-256-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1680-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-175-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1736-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-103-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2088-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-117-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2164-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-244-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2196-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-184-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2344-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-189-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2344-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-40-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2632-212-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2632-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-203-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2736-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-12-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2736-13-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2736-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-144-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2828-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-162-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2872-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-61-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3060-67-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads