berbew | 5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381

General

Target

5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Size

96KB
MD5

541addec5cf2c869e158fe56046c308b
SHA1

24102769000c24bf54f5adcb986909965a485c5d
SHA256

5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381
SHA512

77edeed6eba13fc267f025ca09df90a68e079561a1a0117c33da42363c35115ed831a8362492f485579e6c4e14b7c9c0db5960f6f1e48d089faec420156f7864
SSDEEP

1536:0hPiZznlU8W/tgRbxtgInHyPNWIJDxgi2cNaBsAkIM9iAZ7O7OM6bOLXi8PmCofV:1TSPsCxgzIJI7DrLXfzoey

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 7 IoCs

pid	Process
4848	Dhkjej32.exe
2996	Dmgbnq32.exe
3692	Deokon32.exe
1800	Dmjocp32.exe
2636	Dddhpjof.exe
100	Dknpmdfc.exe
852	Dmllipeg.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhkjej32.exe	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4700	852	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 4848	1928	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe	83
PID 1928 wrote to memory of 4848	1928	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe	83
PID 1928 wrote to memory of 4848	1928	5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe	83
PID 4848 wrote to memory of 2996	4848	Dhkjej32.exe	84
PID 4848 wrote to memory of 2996	4848	Dhkjej32.exe	84
PID 4848 wrote to memory of 2996	4848	Dhkjej32.exe	84
PID 2996 wrote to memory of 3692	2996	Dmgbnq32.exe	85
PID 2996 wrote to memory of 3692	2996	Dmgbnq32.exe	85
PID 2996 wrote to memory of 3692	2996	Dmgbnq32.exe	85
PID 3692 wrote to memory of 1800	3692	Deokon32.exe	86
PID 3692 wrote to memory of 1800	3692	Deokon32.exe	86
PID 3692 wrote to memory of 1800	3692	Deokon32.exe	86
PID 1800 wrote to memory of 2636	1800	Dmjocp32.exe	87
PID 1800 wrote to memory of 2636	1800	Dmjocp32.exe	87
PID 1800 wrote to memory of 2636	1800	Dmjocp32.exe	87
PID 2636 wrote to memory of 100	2636	Dddhpjof.exe	88
PID 2636 wrote to memory of 100	2636	Dddhpjof.exe	88
PID 2636 wrote to memory of 100	2636	Dddhpjof.exe	88
PID 100 wrote to memory of 852	100	Dknpmdfc.exe	89
PID 100 wrote to memory of 852	100	Dknpmdfc.exe	89
PID 100 wrote to memory of 852	100	Dknpmdfc.exe	89

C:\Users\Admin\AppData\Local\Temp\5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe
"C:\Users\Admin\AppData\Local\Temp\5b09dbe0779982e569e445ec2c5b74bac922423b68f092dd428d046c5308a381.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\Dmgbnq32.exe
    C:\Windows\system32\Dmgbnq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\Deokon32.exe
      C:\Windows\system32\Deokon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 408
        9⤵
        Program crash
        
        PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 852 -ip 852
1⤵
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amjknl32.dll

Filesize
7KB

MD5
7e1a3e281cdd863eb35c22c5201d987b

SHA1
18b83caae237c02a1c09b9ade400ecac300d7ccb

SHA256
1c0b49c2dd87a194b55017b69ca7e70c68282ae62b16d031bc8745e7672adaf0

SHA512
80ebcd2a9d87ab9bd11d0031bb433901cad5dd23aeaa6b0afab1a4396603321f009fb84e87ec9f9849565a1d5ec527bcef8ba9c0a6afa893d45475e52578de20

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
8c82cb33e6892c90efea60a79d74734b

SHA1
b345ed645f8f83c6e0c5b175e53a4716f37ffd1a

SHA256
949a49b50ea3366ed85cacb14fbc367f7e5a970e9d23419254c2cb7a05ed74fa

SHA512
c2a7f310e739afed84b2c814956afe7f52474c95ea3055dec8b0570399b0b7ef3b884bf33d4e906532ba4cd8027c97d35c5a916259d45dc61fe79abd85d021eb

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
27684cdcf2db4164938c11a9386a6512

SHA1
84745edee38bafaf863cd9d55c6c108f36c7ceba

SHA256
3010a71e2f69c1a07474a9316d45364283c39c6334bd303b88b808722c9c1e6c

SHA512
26f3f5604764ad6b0c8300aaa45e970d25e2f2adbac9a7acc932a8c11b865c743328d28124d67bf12b0e0fdaaf9d2863ffd96b34d4d5e017bfd16d059585fdcd

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
4de6942a164039170eaba891fadc7882

SHA1
89e94c5aa2853c711b84cbeb87323b0ee9fea9ef

SHA256
2d787c6ff4d964754139b9d0a7b223088fc3cf304983342b78bd37dd874c137d

SHA512
2b993e3d57f3ee643a03d9faf4c978e5a8b96c8ef965b338ec42d91d2a07f3065223691ab8c266ef72c164c59853ce3f2e8784118d98a836058e7a6fd276a952

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
79ef0a90d3e5a4cae98d2d6b45949a50

SHA1
8659bf6bb1467ffb8138928c96468f07e9950ca4

SHA256
88411432bc56a5219dd2cc90bc8d9bfdf36d3ffa8c87948d429e47ae3b4a39af

SHA512
9d7c36aeccd2b1026833f26eccc888eebac6fbf9050a0208236b116f9bde43f63e024d0251267f25057770d0664931e5701687800b9944d519d03d3aaec87085

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
16b6eeb030294fdbf9956e0f750c5bc0

SHA1
d8e0cd0fcd205e672b1880b555cb8598d9d69d28

SHA256
e8abe2ce4adb25f57e4a2536e3e9ced5e80a88f4b6a3e2096049cbe967a73c8a

SHA512
6e80749de3c5e1a443a2e95045f551642f94752adcf6d8e2d6b1386bf38fece55b11fda1d5cc156cce4cdd502256316b503038e65aaa0a4cbc392bd21d5114e3

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
9c755c93b4315ab92e79fe317bd12a5c

SHA1
934827ebdc45dee0c9b4a4250acecff845359d4e

SHA256
136235359d6961eafbaa10eaf6f5373b774ba919608cef80052c5742c19809c1

SHA512
62d5bbdfce5309464061a278a0b51c4fc6ef8be51518c6270cd1e21997abeb0c65c4bc56daebb3450fc4238763e01f86ceb613f117da71b8646b6aba5ea278f7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
87d9a74dcddd22ffd983e5460755cc90

SHA1
d1d50c04c3653bcf4a332c889fb7b24a7c95092a

SHA256
512ed6619438c79c94ce2f24c961abea970a0ec62fb33831b3c1c169f00fdde8

SHA512
461a835a16854796eafb530a43b6c0dfa4332cdb900357291df827dc905d931be926ce20b7410160ce6e6b8e58a7f6aaa9499340895ed4eeb01dd402d3f7f226

Download Submit
memory/100-58-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/100-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1800-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1800-59-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-60-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3692-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3692-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-62-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads