berbew | a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Size

94KB
MD5

700412ae0f7c276364cc0c5e8cb45970
SHA1

0c403a02f44cf7189aaa41a9b3cd4befdc71ac91
SHA256

a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9
SHA512

6287461b37581a22e7c75e53430305f5e3def96029f301cc4dab1d66678e8ece35c397ac300ad56f3bbd1c53b5d4c175aa6c03fb71f4819324918280ca88ebd0
SSDEEP

1536:9gatqp77f660Oaee1SX8OV0RkSzbRPkssZZcKXwHh7ch3KYJ1nnxXRVkeyyVr3iw:u1e6XvsLkSRPvsZlX6hy339d3kremwcA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 6 IoCs

pid	Process
2592	Bdkgocpm.exe
2608	Bjdplm32.exe
2588	Bdmddc32.exe
2172	Cdoajb32.exe
592	Cfnmfn32.exe
1288	Cacacg32.exe

Loads dropped DLL 16 IoCs

pid	Process
2904	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
2904	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
2592	Bdkgocpm.exe
2592	Bdkgocpm.exe
2608	Bjdplm32.exe
2608	Bjdplm32.exe
2588	Bdmddc32.exe
2588	Bdmddc32.exe
2172	Cdoajb32.exe
2172	Cdoajb32.exe
592	Cfnmfn32.exe
592	Cfnmfn32.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cfnmfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2292	1288	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2592	2904	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe	30
PID 2904 wrote to memory of 2592	2904	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe	30
PID 2904 wrote to memory of 2592	2904	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe	30
PID 2904 wrote to memory of 2592	2904	a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe	30
PID 2592 wrote to memory of 2608	2592	Bdkgocpm.exe	31
PID 2592 wrote to memory of 2608	2592	Bdkgocpm.exe	31
PID 2592 wrote to memory of 2608	2592	Bdkgocpm.exe	31
PID 2592 wrote to memory of 2608	2592	Bdkgocpm.exe	31
PID 2608 wrote to memory of 2588	2608	Bjdplm32.exe	32
PID 2608 wrote to memory of 2588	2608	Bjdplm32.exe	32
PID 2608 wrote to memory of 2588	2608	Bjdplm32.exe	32
PID 2608 wrote to memory of 2588	2608	Bjdplm32.exe	32
PID 2588 wrote to memory of 2172	2588	Bdmddc32.exe	33
PID 2588 wrote to memory of 2172	2588	Bdmddc32.exe	33
PID 2588 wrote to memory of 2172	2588	Bdmddc32.exe	33
PID 2588 wrote to memory of 2172	2588	Bdmddc32.exe	33
PID 2172 wrote to memory of 592	2172	Cdoajb32.exe	34
PID 2172 wrote to memory of 592	2172	Cdoajb32.exe	34
PID 2172 wrote to memory of 592	2172	Cdoajb32.exe	34
PID 2172 wrote to memory of 592	2172	Cdoajb32.exe	34
PID 592 wrote to memory of 1288	592	Cfnmfn32.exe	35
PID 592 wrote to memory of 1288	592	Cfnmfn32.exe	35
PID 592 wrote to memory of 1288	592	Cfnmfn32.exe	35
PID 592 wrote to memory of 1288	592	Cfnmfn32.exe	35
PID 1288 wrote to memory of 2292	1288	Cacacg32.exe	36
PID 1288 wrote to memory of 2292	1288	Cacacg32.exe	36
PID 1288 wrote to memory of 2292	1288	Cacacg32.exe	36
PID 1288 wrote to memory of 2292	1288	Cacacg32.exe	36

C:\Users\Admin\AppData\Local\Temp\a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe
"C:\Users\Admin\AppData\Local\Temp\a20958068522cba04b03f467e7b40c55ef0e1adf9e5ff16b411bd7952de6b8e9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\Bdkgocpm.exe
  C:\Windows\system32\Bdkgocpm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\Bjdplm32.exe
    C:\Windows\system32\Bjdplm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\Bdmddc32.exe
      C:\Windows\system32\Bdmddc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 140
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
94KB

MD5
90f9669d509d82faea39cc8ac67abc57

SHA1
99198525480c1903ff7c024d8f0d354bc8bd6667

SHA256
537258a218abb12f01809c1bf69c628e18b33c6d4ad963b66014adf629d2dbc6

SHA512
67375071d526b8a0ca4410ee52c7e4250f5e7486c0bb85b5ec83a84e5b6d4d2408a5fd336a4227262b94503f805234801f593a2eae02cbeb7ce296c525cabbed

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
94KB

MD5
d93f4c7560ec5386062843990a78b7b4

SHA1
56aa7a7730c0e0ab8ce5dbce1a6783d0540356c5

SHA256
7b0cc8c2b65cf35ba468ba842ca54fcd8c8dbff6c2a762ded30565a558931ca2

SHA512
8f6491a38004942c816f629a4115a9e5ac6b3b8872744c7a514b1e1d72cbeb97301fcc87ec58521ce0275a1e93c19a98e100d822be71ecff50a19d5eaafdf944

Download Submit
C:\Windows\SysWOW64\Mabanhgg.dll

Filesize
7KB

MD5
4556658aa16af96df9adba3f30bae7fb

SHA1
65e3ef24db7f1d9eab9823660b2bd99f6370bc98

SHA256
fc4393f42affbb274595e556833b16db2d16d93c4898f2d9db38307f17bf0ad2

SHA512
842d59170393b8a17e5cfbd16fc09dbe27168bbf3a6e86cfc2ee0a17d463ecef82dc5270caba52b80ddb88ed78b4fbde55e35f40248a1143ee60880f9820a76f

Download Submit
\Windows\SysWOW64\Bdkgocpm.exe

Filesize
94KB

MD5
5fa9eed185c8b734b2a2eff4d2b26d93

SHA1
b1a86166f9ede5d7930ce58aaa2a0a787f522bd0

SHA256
af6f09ad5581a22251361fd61e1418c823c8986e78136b1cd556e97f1135f3dc

SHA512
456176d6f45c6c002d55501de2745c2bc0a798ff587f3a67cae5dc84fc00e4c14e0cb10be03178fd53c9fdad113a6e28db5f70a8b69349f935f52a0d130884ad

Download Submit
\Windows\SysWOW64\Bjdplm32.exe

Filesize
94KB

MD5
ba918aede21b4178c9c88eb702d28cec

SHA1
09692447fdb144d21aaf59578cf0e12b982b8e7d

SHA256
c940ed828008ffe1efa91ee345ca6f27e6995a386c7e35d484d3f39a6e994d37

SHA512
15cd4356c3c5e91188d9f086b4d4549f01e3cb2302476ccf74a72df76adea5d57053311971ed67e35c60b774f5a9100e5e7dc8a8d764c414ffbe4b09733969b8

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
94KB

MD5
c38f21268984f6d98d0d2d6567b2b942

SHA1
e9c483b4c10e178c503b06ae4a132242e275cdb2

SHA256
02ee6632bf8352ba491ef2c4b9f0eef1c1fd4266bfe9c16686c079222400b7a4

SHA512
3562165e64943134c50ac332073b2d5974ca083ce063c4866557c6fd58e7844ae5534c813cb6ce41ebe47847264aaf9d39b09a79a6402f385f10623c769e9f42

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
94KB

MD5
e3af891f759cb2909e098e6c9435f3b3

SHA1
ad889ec7bbc71c8eb7f8cb25e6db9da6f6caffa4

SHA256
dc1781677d4bae7a1e69a894c99adfd189469b184b33953fa2578d7adb8a98ac

SHA512
7b5aeed4dc8863931a90bf7cf357a115b3838da45673e00299222b99e4c58397437d8dd90a2ae4accacbebd5bf209680dc7064c9dcab0879939996d9a5ce8428

Download Submit
memory/592-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/592-75-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1288-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-63-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2588-50-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2588-42-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-86-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-26-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2592-27-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2592-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-12-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2904-13-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2904-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads