berbew | b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9

Analysis

max time kernel
74s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Size

71KB
MD5

eabc22a60f7172794482cdfaaf29d370
SHA1

390b1c2c2e3f340f2222513bafcbf2b5f3e5ddd6
SHA256

b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9
SHA512

404aa0b7da5914cf236a07029e3203836bc824739f9da8bd2b39ec2c8b1ee1b2ddbbd8259353c49d3114eae03d8ad33a84ae6b44da22a347d5ba5dbd44c63dc3
SSDEEP

1536:esACG+h4s1r7rXxLv/5ZHVM1hkGXtqRQcxDbEyRCRRRoR4Rk:DAJ+qs1Tp5+9tqeKEy032ya

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdplfflp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklaipbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npkfff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbile32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npkfff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdplfflp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklaipbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncloha32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 7 IoCs

pid	Process
2164	Moqgiopk.exe
2948	Mdplfflp.exe
2144	Ndbile32.exe
2304	Nklaipbj.exe
2832	Npkfff32.exe
2564	Ncloha32.exe
264	Opblgehg.exe

Loads dropped DLL 18 IoCs

pid	Process
1736	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
1736	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
2164	Moqgiopk.exe
2164	Moqgiopk.exe
2948	Mdplfflp.exe
2948	Mdplfflp.exe
2144	Ndbile32.exe
2144	Ndbile32.exe
2304	Nklaipbj.exe
2304	Nklaipbj.exe
2832	Npkfff32.exe
2832	Npkfff32.exe
2564	Ncloha32.exe
2564	Ncloha32.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bgbjkg32.dll	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
File created	C:\Windows\SysWOW64\Mdplfflp.exe	Moqgiopk.exe
File created	C:\Windows\SysWOW64\Nklaipbj.exe	Ndbile32.exe
File created	C:\Windows\SysWOW64\Hplmnbjm.dll	Ndbile32.exe
File created	C:\Windows\SysWOW64\Ncloha32.exe	Npkfff32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ncloha32.exe
File opened for modification	C:\Windows\SysWOW64\Moqgiopk.exe	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
File created	C:\Windows\SysWOW64\Bfnihd32.dll	Moqgiopk.exe
File created	C:\Windows\SysWOW64\Ndbile32.exe	Mdplfflp.exe
File opened for modification	C:\Windows\SysWOW64\Ndbile32.exe	Mdplfflp.exe
File created	C:\Windows\SysWOW64\Npkfff32.exe	Nklaipbj.exe
File created	C:\Windows\SysWOW64\Ecmdqkbq.dll	Nklaipbj.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ncloha32.exe
File created	C:\Windows\SysWOW64\Moqgiopk.exe	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
File created	C:\Windows\SysWOW64\Nhclfogi.dll	Mdplfflp.exe
File opened for modification	C:\Windows\SysWOW64\Npkfff32.exe	Nklaipbj.exe
File opened for modification	C:\Windows\SysWOW64\Ncloha32.exe	Npkfff32.exe
File created	C:\Windows\SysWOW64\Mnohgfgb.dll	Npkfff32.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ncloha32.exe
File opened for modification	C:\Windows\SysWOW64\Mdplfflp.exe	Moqgiopk.exe
File opened for modification	C:\Windows\SysWOW64\Nklaipbj.exe	Ndbile32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1084	264	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndbile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nklaipbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npkfff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncloha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moqgiopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdplfflp.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklaipbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmdqkbq.dll"	Nklaipbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnohgfgb.dll"	Npkfff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbjkg32.dll"	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnihd32.dll"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncloha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Moqgiopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npkfff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhclfogi.dll"	Mdplfflp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklaipbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npkfff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdplfflp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdplfflp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hplmnbjm.dll"	Ndbile32.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2164	1736	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe	30
PID 1736 wrote to memory of 2164	1736	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe	30
PID 1736 wrote to memory of 2164	1736	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe	30
PID 1736 wrote to memory of 2164	1736	b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe	30
PID 2164 wrote to memory of 2948	2164	Moqgiopk.exe	31
PID 2164 wrote to memory of 2948	2164	Moqgiopk.exe	31
PID 2164 wrote to memory of 2948	2164	Moqgiopk.exe	31
PID 2164 wrote to memory of 2948	2164	Moqgiopk.exe	31
PID 2948 wrote to memory of 2144	2948	Mdplfflp.exe	32
PID 2948 wrote to memory of 2144	2948	Mdplfflp.exe	32
PID 2948 wrote to memory of 2144	2948	Mdplfflp.exe	32
PID 2948 wrote to memory of 2144	2948	Mdplfflp.exe	32
PID 2144 wrote to memory of 2304	2144	Ndbile32.exe	33
PID 2144 wrote to memory of 2304	2144	Ndbile32.exe	33
PID 2144 wrote to memory of 2304	2144	Ndbile32.exe	33
PID 2144 wrote to memory of 2304	2144	Ndbile32.exe	33
PID 2304 wrote to memory of 2832	2304	Nklaipbj.exe	34
PID 2304 wrote to memory of 2832	2304	Nklaipbj.exe	34
PID 2304 wrote to memory of 2832	2304	Nklaipbj.exe	34
PID 2304 wrote to memory of 2832	2304	Nklaipbj.exe	34
PID 2832 wrote to memory of 2564	2832	Npkfff32.exe	35
PID 2832 wrote to memory of 2564	2832	Npkfff32.exe	35
PID 2832 wrote to memory of 2564	2832	Npkfff32.exe	35
PID 2832 wrote to memory of 2564	2832	Npkfff32.exe	35
PID 2564 wrote to memory of 264	2564	Ncloha32.exe	36
PID 2564 wrote to memory of 264	2564	Ncloha32.exe	36
PID 2564 wrote to memory of 264	2564	Ncloha32.exe	36
PID 2564 wrote to memory of 264	2564	Ncloha32.exe	36
PID 264 wrote to memory of 1084	264	Opblgehg.exe	37
PID 264 wrote to memory of 1084	264	Opblgehg.exe	37
PID 264 wrote to memory of 1084	264	Opblgehg.exe	37
PID 264 wrote to memory of 1084	264	Opblgehg.exe	37

C:\Users\Admin\AppData\Local\Temp\b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe
"C:\Users\Admin\AppData\Local\Temp\b45761049e192564d2215b12445d91b91c3a153642abfa1c894c902faab821c9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\Moqgiopk.exe
  C:\Windows\system32\Moqgiopk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\Mdplfflp.exe
    C:\Windows\system32\Mdplfflp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\Ndbile32.exe
      C:\Windows\system32\Ndbile32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\Nklaipbj.exe
        
        C:\Windows\system32\Nklaipbj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\SysWOW64\Npkfff32.exe
        
        C:\Windows\system32\Npkfff32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Ncloha32.exe
        
        C:\Windows\system32\Ncloha32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 140
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecmdqkbq.dll

Filesize
7KB

MD5
b8c98288fedb77da6411b5d720699113

SHA1
3cf25a0348be6b028a7ff9b124896ec04755499f

SHA256
94ad4772772bc8ff08f7bbc185a052c0bd6e3b90675f853286dda3411fb9dcd3

SHA512
c174cc550e4c2fa5ca0781f2ea67571a338b9a9ba29475faaa1fcb7478efe98ef129d54a01ed9e2d30ac73d9e9d827f7b83a49f3f0c7cbb2a274996806183893

Download Submit
\Windows\SysWOW64\Mdplfflp.exe

Filesize
71KB

MD5
892259f12d4ddaaa274c385d7d94b7e5

SHA1
9dbba254d27dc2e3e00420507419306591ffb929

SHA256
af006093ff67e3fbdf9aef5f527465a165c93ff50f6fa24ed12fa191a3082fb4

SHA512
4b7ce3f660dd6cfcc3fcef7d37a214c0e855cece58f7e1e531b44ea914a92fd69b7ae89cc14c212f8a7fbc8cd73474c302753acf976582782f4f35598446c76f

Download Submit
\Windows\SysWOW64\Moqgiopk.exe

Filesize
71KB

MD5
10a1b358010d08e739396a70cac5e7a8

SHA1
ce1505f02a8101787fb437d403dc99192be0e886

SHA256
361da06cd0f41e5bb17fc8d37e963d9d220e765e714b1e22c74430e5fb7bf471

SHA512
b8eac0b1d5c9439f70ccd60614054be571bb1edf5ccdbeb0558bcfb26d11b4475f005d7f7629255c884ac92a0d4473a66ad58889560ca9947ab7ebfba3a25394

Download Submit
\Windows\SysWOW64\Ncloha32.exe

Filesize
71KB

MD5
a4addcaf3c2ee7df7237b52e959cdda8

SHA1
42a2e11c7e64225826032d90ec336bc17d63c010

SHA256
ac10b1b36f86bdd285a318e82a177d3e1379ab888117c6045c37aac667f51171

SHA512
f025c764414e4952f63de2d17ab4fccfb5c11a9364a8e4f84df28719d87233727b820a3efe658c8333027a9f6d1c9fcf36c218f9387cecf358965341bcf578c4

Download Submit
\Windows\SysWOW64\Ndbile32.exe

Filesize
71KB

MD5
d9d6358e3d71bad84e9d4d6aa31ffba4

SHA1
4922839f4192eda12eba25f6cdbc455adcaa3c4d

SHA256
daf6f1393c37096bc9c8498389ca8e76b3b6125be1aac88974ec1442e6bffec4

SHA512
f74756baf72be6bd76761a917fcfd6aad166de74a7912223fbba2644c4ea92ee1bb1282c0a18b751f28e039d005ad808b1aac18cd5ca4c7b6714f04ef0b2f71a

Download Submit
\Windows\SysWOW64\Nklaipbj.exe

Filesize
71KB

MD5
740a71563f9e9def2330d94ecee4ae7e

SHA1
876c8b6660a40bbeaf374e41f0947c7a635e903c

SHA256
7e41ec98874eec623050aade4fa2b7002d2342b36bdf9f9d0a08bcae0ff0abee

SHA512
ef341550d2324bc49e9bd5eb36e76f1d370db45c54b55d07557f8a77f41ee474cae945b9ebd6fd1ef1b558feb06d63ce79534a7b7e4288582108b75145ec8e26

Download Submit
\Windows\SysWOW64\Npkfff32.exe

Filesize
71KB

MD5
e0585fd182f70694cc8c30c66f5fdae2

SHA1
e063675d76ebed73ed6024851ebe80c9c8591def

SHA256
2c2f1e6bd348b8ad1ee1848556eb4fdbc7b12212e40570cec2656201d05266b6

SHA512
e9fc5553f13964d95f7dfa296a89b97e10bc8a76b2b55a118e3720f5b7f7e5a36901680af4145ebca0a8e9f1cf5390a078297e94b584db5ee5f3462b445011d9

Download Submit
\Windows\SysWOW64\Opblgehg.exe

Filesize
71KB

MD5
c10da993aa4487e3c38ae9bd23684ef9

SHA1
ad9349653251228fdbd8cdde636e6ecbc4a96512

SHA256
9f450bf436948fbdba15f1eb8f7c2d5e633817868c3913ad0cdb4a1eb5b5b0d5

SHA512
8fd3e9b564157537041b8b40b25b7105858c4f64636a4f2bb59347985f9c4c31d94ee3b0a96d72d6214d393394212250f8bca00a9145a8f722d1bd285ce96174

Download Submit
memory/264-93-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1736-11-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1736-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1736-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1736-12-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2144-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-21-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2164-26-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2164-102-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-100-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2564-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2832-67-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2832-74-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2832-99-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2948-39-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2948-101-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads