berbew | ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e

General

Target

ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Size

395KB
MD5

b19ac82abed9369ff1c17b28149ac4b0
SHA1

69c3ffe691fee73ae8499e38e5fe9793d36fa377
SHA256

ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e
SHA512

d7016bfd7dc65e4a3164bc1156378f594976f3add074df2501f4e78449138567fa1b12aa1f25d9df18ee2b885d249b0c48088374551edf848ed3590774ad73dc
SSDEEP

6144:F7Zp9hqRs4y70u4HXs4yr0u490u4Ds4yvW8l0:FX9hH4O0dHc4i0d90dA4t

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 7 IoCs

pid	Process
3680	Dfknkg32.exe
2272	Dhkjej32.exe
5068	Dfnjafap.exe
3796	Ddakjkqi.exe
2008	Daekdooc.exe
3812	Dknpmdfc.exe
2112	Dmllipeg.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1720	2112	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 3680	2588	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe	83
PID 2588 wrote to memory of 3680	2588	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe	83
PID 2588 wrote to memory of 3680	2588	ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe	83
PID 3680 wrote to memory of 2272	3680	Dfknkg32.exe	84
PID 3680 wrote to memory of 2272	3680	Dfknkg32.exe	84
PID 3680 wrote to memory of 2272	3680	Dfknkg32.exe	84
PID 2272 wrote to memory of 5068	2272	Dhkjej32.exe	85
PID 2272 wrote to memory of 5068	2272	Dhkjej32.exe	85
PID 2272 wrote to memory of 5068	2272	Dhkjej32.exe	85
PID 5068 wrote to memory of 3796	5068	Dfnjafap.exe	86
PID 5068 wrote to memory of 3796	5068	Dfnjafap.exe	86
PID 5068 wrote to memory of 3796	5068	Dfnjafap.exe	86
PID 3796 wrote to memory of 2008	3796	Ddakjkqi.exe	87
PID 3796 wrote to memory of 2008	3796	Ddakjkqi.exe	87
PID 3796 wrote to memory of 2008	3796	Ddakjkqi.exe	87
PID 2008 wrote to memory of 3812	2008	Daekdooc.exe	88
PID 2008 wrote to memory of 3812	2008	Daekdooc.exe	88
PID 2008 wrote to memory of 3812	2008	Daekdooc.exe	88
PID 3812 wrote to memory of 2112	3812	Dknpmdfc.exe	89
PID 3812 wrote to memory of 2112	3812	Dknpmdfc.exe	89
PID 3812 wrote to memory of 2112	3812	Dknpmdfc.exe	89

C:\Users\Admin\AppData\Local\Temp\ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe
"C:\Users\Admin\AppData\Local\Temp\ffaede333ad698084564323f01b31feff39d2c3ac4ca9f24dc5ef490316fdd2e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\Dfknkg32.exe
  C:\Windows\system32\Dfknkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\Dhkjej32.exe
    C:\Windows\system32\Dhkjej32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\Dfnjafap.exe
      C:\Windows\system32\Dfnjafap.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
      - C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 404
        9⤵
        Program crash
        
        PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2112 -ip 2112
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
395KB

MD5
42fe049caa4c02becec14f59aaddd9ab

SHA1
c99762a685e926634c2ab68bd199a089635359ca

SHA256
4039479facbd73c148c2a302b11dc36b5259e813ad9c2336c7c71d49ad367415

SHA512
686d6932737e79fdcef597ab3a5d83c11358a91bba9c5dfa1fad46abcb9a01654cc226fa4405b749103efee85ff658190a35a563913549ac163ee5ced9f7e791

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
395KB

MD5
89f79cbd77fe46acec1db90d834d3d58

SHA1
9d17e875cafa3114a2e572221f1f7f94a576c563

SHA256
13bd6b09aff90903f8fef3546d8c98ab625de71489073788f71509c08c03a3c6

SHA512
e77f3748e5248eb83ba8aab4bb524834bb18f12754773cf4ee789234b8ef4e38faa406653f490a0cc3107862ead59c4c9eddcc2277c4f0d56f430fbbe5f5eccc

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
395KB

MD5
d07340905ec9544794cc4d307dc93070

SHA1
987a5793143bc313b509909c004c82441619bf0d

SHA256
9e9bf5130b6041825a524cf1cfaf27ace2303bbf8cfdd2cbccc5ade32029cabb

SHA512
d551c6b095179a35437e76e8cddd0351dd18d3519df5605b88668d5faa31ed9867f267d198beac74469674ed08cc5562d5abcbe4757b92030676e5a3b9f49e73

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
395KB

MD5
49abc06671434339d32a2359935febf0

SHA1
e6413d5fbe2fc5f7eea746a8d0066ae9fa1d06c8

SHA256
c6f943af1f0d0b6e792287e9d90836c115177ca887c0588813710c61b1153cf3

SHA512
b4b85bd56757e57fd0ea22e79423537e44ec969309861dea6e06bf93257941f076354938d4de9a571ef6fd535b8ab75243589ebdc9dd6a1572ce506c6d899ec3

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
395KB

MD5
2973d0e8d44f1e7955d7e81450b356f5

SHA1
f0cf182522d0a14da570852fb3cc0c5ba4a678cb

SHA256
f9480feb9af3db2aa5c8c9dbda02594c44bb11b3e7a9a6bba73c6baae61794fd

SHA512
524002c2ef192a18f663777aa6e588fc71270daf5539de98b9dbc47fbfa37ea1aabf32420bf0138011c26a2352697adfaeb56bee5ee5df9319d8d41110d60468

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
395KB

MD5
341bec809b3f707b1a1abe582ba8f3a8

SHA1
e3a65270edb97456d5ad3b103317d9a2fdcf9376

SHA256
836dea073e2d8b0a58db9b13f2d7d287f391b45cefa4ff11f6dc57a4ceb520c7

SHA512
e10342833bfe9c483aeff679f2c25af313e04d56ed034450945e5fcb4b5380c6d21e16e1b209110dfd51820304d71fca9161ee71bde1c9e21f5fffdc7eb10cf5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
395KB

MD5
94574d103ce8f9db52951e322ce411cd

SHA1
33eedaee0bcc0c673dbdc0eae8911274e1ccc206

SHA256
85654df86b55ea8032a78bc0464ceed2fd4384041eab13df3805f8d1b32a2215

SHA512
38e140d0d9d402ee373bc690b7b7a35b95089b713b83382f1129a8bbc5eee54f87a7d2feecb5d986f4f7c5c87c4d001bfca0848e27698e3b599b8db261c07f10

Download Submit
memory/2008-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2008-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2112-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2112-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2588-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2588-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3680-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3680-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3796-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3796-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3812-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3812-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5068-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5068-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads