berbew | e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Size

91KB
MD5

0ee55ea7312860462d90ee20e2f4dce0
SHA1

4dd92dabe53437d0d452ef1b97d1ac264bb38f49
SHA256

e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887
SHA512

b81da0e46c5dd73973f2d9ef9937f941b3734a0c5703aee255c2a8c7ab47c86d3b979e9ad4fcb246d4ace02c98ea67c03450f71b14ac4d46ef1cedf4652bccf6
SSDEEP

1536:SwIDwL3HKBGxyMlvTjZsZNb4NLXbO/s0mjI1XNQ:SjULKYv5s8O/zlXNQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lemdncoa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 7 IoCs

pid	Process
2980	Kdbepm32.exe
2824	Kkmmlgik.exe
2720	Kgcnahoo.exe
2860	Lmmfnb32.exe
2660	Lghgmg32.exe
2688	Lemdncoa.exe
1300	Lepaccmo.exe

Loads dropped DLL 18 IoCs

pid	Process
3052	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
3052	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
2980	Kdbepm32.exe
2980	Kdbepm32.exe
2824	Kkmmlgik.exe
2824	Kkmmlgik.exe
2720	Kgcnahoo.exe
2720	Kgcnahoo.exe
2860	Lmmfnb32.exe
2860	Lmmfnb32.exe
2660	Lghgmg32.exe
2660	Lghgmg32.exe
2688	Lemdncoa.exe
2688	Lemdncoa.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdbepm32.exe	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Lghgmg32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Lghgmg32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Ogegmkqk.dll	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lemdncoa.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lemdncoa.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Lioglifg.dll	Lghgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Lemdncoa.exe	Lghgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lemdncoa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	1300	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lioglifg.dll"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lemdncoa.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2980	3052	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe	30
PID 3052 wrote to memory of 2980	3052	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe	30
PID 3052 wrote to memory of 2980	3052	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe	30
PID 3052 wrote to memory of 2980	3052	e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe	30
PID 2980 wrote to memory of 2824	2980	Kdbepm32.exe	31
PID 2980 wrote to memory of 2824	2980	Kdbepm32.exe	31
PID 2980 wrote to memory of 2824	2980	Kdbepm32.exe	31
PID 2980 wrote to memory of 2824	2980	Kdbepm32.exe	31
PID 2824 wrote to memory of 2720	2824	Kkmmlgik.exe	32
PID 2824 wrote to memory of 2720	2824	Kkmmlgik.exe	32
PID 2824 wrote to memory of 2720	2824	Kkmmlgik.exe	32
PID 2824 wrote to memory of 2720	2824	Kkmmlgik.exe	32
PID 2720 wrote to memory of 2860	2720	Kgcnahoo.exe	33
PID 2720 wrote to memory of 2860	2720	Kgcnahoo.exe	33
PID 2720 wrote to memory of 2860	2720	Kgcnahoo.exe	33
PID 2720 wrote to memory of 2860	2720	Kgcnahoo.exe	33
PID 2860 wrote to memory of 2660	2860	Lmmfnb32.exe	34
PID 2860 wrote to memory of 2660	2860	Lmmfnb32.exe	34
PID 2860 wrote to memory of 2660	2860	Lmmfnb32.exe	34
PID 2860 wrote to memory of 2660	2860	Lmmfnb32.exe	34
PID 2660 wrote to memory of 2688	2660	Lghgmg32.exe	35
PID 2660 wrote to memory of 2688	2660	Lghgmg32.exe	35
PID 2660 wrote to memory of 2688	2660	Lghgmg32.exe	35
PID 2660 wrote to memory of 2688	2660	Lghgmg32.exe	35
PID 2688 wrote to memory of 1300	2688	Lemdncoa.exe	36
PID 2688 wrote to memory of 1300	2688	Lemdncoa.exe	36
PID 2688 wrote to memory of 1300	2688	Lemdncoa.exe	36
PID 2688 wrote to memory of 1300	2688	Lemdncoa.exe	36
PID 1300 wrote to memory of 1676	1300	Lepaccmo.exe	37
PID 1300 wrote to memory of 1676	1300	Lepaccmo.exe	37
PID 1300 wrote to memory of 1676	1300	Lepaccmo.exe	37
PID 1300 wrote to memory of 1676	1300	Lepaccmo.exe	37

C:\Users\Admin\AppData\Local\Temp\e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
"C:\Users\Admin\AppData\Local\Temp\e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\Kdbepm32.exe
  C:\Windows\system32\Kdbepm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\Kkmmlgik.exe
    C:\Windows\system32\Kkmmlgik.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\Kgcnahoo.exe
      C:\Windows\system32\Kgcnahoo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Lemdncoa.exe
        
        C:\Windows\system32\Lemdncoa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 140
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Kdbepm32.exe

Filesize
91KB

MD5
022cfe3a559e9d7f5712360f9bcc2f9b

SHA1
837adadf3fe79886b7d50335e25963ea45a41ffe

SHA256
a7830e4d00e1a1448e324fd3fb3a436678bf46523451013b14fd39f9e22772ad

SHA512
9c24f2b9be2f756156f3fb07adda94ed01795340b549c9f55d1adb609b10bee9a2e82b17b047ed2149cc014d2a3f207e4396b07a8c9d4bee8f24bdbd72548162

Download Submit
\Windows\SysWOW64\Kgcnahoo.exe

Filesize
91KB

MD5
8a76f2c2822e8632bce696e7258dec7b

SHA1
c2f0060c23611ce721a9c8d244b83a16be0b915f

SHA256
66b0549aafba8b4987f0affa78620b90b7a53b34932e67f4cd722326836c393a

SHA512
a7fd71c13f71d9ad152b9112aacced8d8cade800558ca123cf1c3a67b06cce13e8974ffe111e631bbe1af681b3828bde2ccf960b31ac6745f589f11175aaabdf

Download Submit
\Windows\SysWOW64\Kkmmlgik.exe

Filesize
91KB

MD5
17e25048c1e7b0ed6160ce1143b02137

SHA1
8e04d8c8c5e443a8064f61108513af8c62ee6413

SHA256
b140ae77699d51f51eeba4b3d106042c0210e48027bc311a32a91ea66776fcc9

SHA512
81288f3e29200a200f1a929efb379101eb28a7bb5589be54e06d53279c28c39e31d2fc327433081e8fbc97e5d081491176ff9429801afbbaed15d7703f8a3179

Download Submit
\Windows\SysWOW64\Lemdncoa.exe

Filesize
91KB

MD5
c86e4b6d17fef86f505bba9f5da4991a

SHA1
f17c61a957560fa50d45f041a5789820615ed870

SHA256
cff05373b13e7ce0266ea6f80cb15bfe9412091fae8f6bfc1a595153196d5036

SHA512
c9f21d64058bdb7f13353082eda719707eda0d94b594026658ab5b75a28b76da314e579a9ff639b236c663b552be61fdded989c748a8b11e99104db1bdc5d96d

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
91KB

MD5
d490b0081104c98eab24e7aaf359a254

SHA1
20f9bc15e605058e2b78bce8b8f000fa2c8b20ff

SHA256
951d2a7e725d74e5314b483dfe376c99b2a9617e04da3a3b1fb702683f89f045

SHA512
3f2bac8c0b0fe9e329a07bc2798b577854b42ea04657c5d60609078e4b2547f6e71c08f62357ff03fb29e355f1122462f388163d39f622c778f74cb26637d07d

Download Submit
\Windows\SysWOW64\Lghgmg32.exe

Filesize
91KB

MD5
c68183fbb8c65d9b77890fb091940001

SHA1
2f050b1951f533575949be5c5ada634dc3dd3d44

SHA256
3a5c99c7215b9e90e06ce40d1c215449ff7d30ac5f8c6308cfa02fa2e432f119

SHA512
b82cb508475bbcd8037117be835da2df4f8ff81bbdf8ceceab4cae154425cc92494220ce02c782989eb27a0ea5e419df05d7e149fd0e607bad076c3b6619aba6

Download Submit
\Windows\SysWOW64\Lmmfnb32.exe

Filesize
91KB

MD5
cdbb558db40b4863ea102cb551a489c6

SHA1
2a22beb9a9f0ef61fd28c8fb5c3165ba7f6d1c2e

SHA256
bfda08eb13fce8a7b1ee9e2eb01b76d2c288eabbedd223042787dd51fe826b76

SHA512
3f3d76c80f6a7e8f2bf38722952cf3a5a4def9849467f55632791247f45f971083084ed2a9109229f4bdf89981f2a5c6b18693c8cfd4784710e6cfc9b022f009

Download Submit
memory/1300-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-93-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2688-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-49-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2720-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-40-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2860-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-66-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2980-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-12-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/3052-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-11-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/3052-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads