berbew | e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4

Analysis

max time kernel
23s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Size

163KB
MD5

a8a9634d26b2d4a4d539f9d862048329
SHA1

d214e84c0a8e5f2b229d8f9c2da0c78289b2e70d
SHA256

e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4
SHA512

98c2856086a5af932e68d0004063684bfae97fd46df492b4fa3462a982cae41b476a4c1a2d8d67e6799d9e8f329e6115ba41876706e08e3354e7197149ba58f5
SSDEEP

1536:P02+WIu5QXcAG+FKtYW9nJ7rMlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUA:82+WTQXu+ItB9JvMltOrWKDBr+yJbA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 6 IoCs

pid	Process
2972	Bajomhbl.exe
2956	Bjbcfn32.exe
2840	Bbikgk32.exe
2740	Bobhal32.exe
320	Cilibi32.exe
1504	Cacacg32.exe

Loads dropped DLL 16 IoCs

pid	Process
2816	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
2816	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
2972	Bajomhbl.exe
2972	Bajomhbl.exe
2956	Bjbcfn32.exe
2956	Bjbcfn32.exe
2840	Bbikgk32.exe
2840	Bbikgk32.exe
2740	Bobhal32.exe
2740	Bobhal32.exe
320	Cilibi32.exe
320	Cilibi32.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1948	1504	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Bajomhbl.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2972	2816	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe	30
PID 2816 wrote to memory of 2972	2816	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe	30
PID 2816 wrote to memory of 2972	2816	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe	30
PID 2816 wrote to memory of 2972	2816	e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe	30
PID 2972 wrote to memory of 2956	2972	Bajomhbl.exe	31
PID 2972 wrote to memory of 2956	2972	Bajomhbl.exe	31
PID 2972 wrote to memory of 2956	2972	Bajomhbl.exe	31
PID 2972 wrote to memory of 2956	2972	Bajomhbl.exe	31
PID 2956 wrote to memory of 2840	2956	Bjbcfn32.exe	32
PID 2956 wrote to memory of 2840	2956	Bjbcfn32.exe	32
PID 2956 wrote to memory of 2840	2956	Bjbcfn32.exe	32
PID 2956 wrote to memory of 2840	2956	Bjbcfn32.exe	32
PID 2840 wrote to memory of 2740	2840	Bbikgk32.exe	33
PID 2840 wrote to memory of 2740	2840	Bbikgk32.exe	33
PID 2840 wrote to memory of 2740	2840	Bbikgk32.exe	33
PID 2840 wrote to memory of 2740	2840	Bbikgk32.exe	33
PID 2740 wrote to memory of 320	2740	Bobhal32.exe	34
PID 2740 wrote to memory of 320	2740	Bobhal32.exe	34
PID 2740 wrote to memory of 320	2740	Bobhal32.exe	34
PID 2740 wrote to memory of 320	2740	Bobhal32.exe	34
PID 320 wrote to memory of 1504	320	Cilibi32.exe	35
PID 320 wrote to memory of 1504	320	Cilibi32.exe	35
PID 320 wrote to memory of 1504	320	Cilibi32.exe	35
PID 320 wrote to memory of 1504	320	Cilibi32.exe	35
PID 1504 wrote to memory of 1948	1504	Cacacg32.exe	36
PID 1504 wrote to memory of 1948	1504	Cacacg32.exe	36
PID 1504 wrote to memory of 1948	1504	Cacacg32.exe	36
PID 1504 wrote to memory of 1948	1504	Cacacg32.exe	36

C:\Users\Admin\AppData\Local\Temp\e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe
"C:\Users\Admin\AppData\Local\Temp\e53e9c68ab6015e9438910a0164a79d35dc36248da4ae444438b9a56601c74c4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Bajomhbl.exe
  C:\Windows\system32\Bajomhbl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\Bjbcfn32.exe
    C:\Windows\system32\Bjbcfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\Bbikgk32.exe
      C:\Windows\system32\Bbikgk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 140
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
163KB

MD5
2a826f433dce5ecdd49edf243e92ba58

SHA1
f94cfb97d880700a90e6f41db257e636b660a9b8

SHA256
123db2fa28233148579badc56843f8a1556d83dfca8bfd67a6efe2e3376c56b1

SHA512
9298a5be81e5a64ab5904f6b50bbdd326ab3fd501ed2b3e759ee8e7962a6b9108513fffa8a34979ac772c69e44ce706fa56bb2656ff764eb786d422058b6e3f9

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
163KB

MD5
2522f26b7c4a7efaeee4aa409af0b9cb

SHA1
2f74ea646b7df6e88e309b254894df3d5c37cf2b

SHA256
b370ffde3596399e7e3b28bbf4aadefa3a16e9ccfa87ff941c7ebbe643898e65

SHA512
62685a1fa8c15ab0b4ad9a09e5181a80c694d71fa55f055aa12286021d0131706251d0ba9fd69656876d558628e00dd3619d3d33df1e366ffc55d6b27ea04a48

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
163KB

MD5
466f3b50def46ee41fe65421b06debb1

SHA1
4264ef12ef6e566618e6933e23f34e22507704af

SHA256
b6e881b9ced6cbf07b3a3867d1b2601341a99337b49eb70d2dbc006c99c20d08

SHA512
efd9417c22383d4220342facbe3686c7f2f4e22b99d95f4cfb706e6ab893d1beadbd673b4a773b07fa8345800ae988f9ae6a6f59dfde72d57a991a3723497c91

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
163KB

MD5
2747632094559000df7886b5a2a043df

SHA1
18ac6311cd2c3bf49d3ffd2efa61515013ec0bac

SHA256
021dda658c6ed90bef1f4a6554e263ad8b74ae980996bd4291b361c7dc402705

SHA512
db5924ed5710ca0f48ad0ac247580f05075cbeb0cbd71870cc963754a8c2e1e44b3dcd1475091d91d76cc60988e77fde0323bf11bb0e64216146130b172be99e

Download Submit
\Windows\SysWOW64\Bajomhbl.exe

Filesize
163KB

MD5
c6ed3ed89625910b2eb8523c2b2ec550

SHA1
7e4e42601b6223e6903a2a7132c543f3ac47fc41

SHA256
010db8a8b61957b314eb4e8854455443dca48244f564ae74a6abfc558fbcf2f9

SHA512
6306ed9e637b3cf56b8fe3dafd4a9b7de1f0537a033fe85af33b304f633d07203524d3b89b8716ebac248f8b6a8d85371ebe75fe33756ec72bc678a075686346

Download Submit
\Windows\SysWOW64\Bbikgk32.exe

Filesize
163KB

MD5
56f150f6f8480f87ca15983f9189e0ef

SHA1
d5742e784113cc6652316837a79861f208d5ab8b

SHA256
14312a9138cbddfd85fa67df7a42051138302054c51fc68b95243af13d004390

SHA512
3c3625a142909d1b50b7b8e27025a13c7f011788f7a2b4082fe30f8c0d84971d3b26c3a4025004fdffea0c9def13c693182acf2c09d03e926cc414aff484f5f0

Download Submit
memory/320-82-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/320-94-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/320-69-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1504-100-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1504-101-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1504-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-95-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-63-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2816-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-12-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2816-6-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2816-98-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2840-92-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2840-49-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2840-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2840-90-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2956-35-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2956-93-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2956-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2972-19-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2972-99-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads