berbew | 8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551

General

Target

8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Size

80KB
MD5

f989ffff225c1fbeae09c3e322113ff0
SHA1

2b38c291ca45cb936c6adf7177e0cf22e0bfef4c
SHA256

8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551
SHA512

990bdf80f11a378076b521f2ec76edd020d0e691c8dfd9f2a416f43789d4f38248fb8b9d1ce1c8cb0d4e7c93b7c8b63311278d50957a0b5201596a89c460261c
SSDEEP

1536:bc9etJKBWLtHSaFD6lxE9xQPTH0LLm2LcaIZTJ+7LhkiB0:bqSJKMtHSaElxEgPTHIcaMU7ui

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 6 IoCs

pid	Process
3572	Dmgbnq32.exe
2976	Ddakjkqi.exe
4780	Dkkcge32.exe
4052	Deagdn32.exe
2400	Dgbdlf32.exe
1180	Dmllipeg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4724	1180	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 3572	1252	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe	83
PID 1252 wrote to memory of 3572	1252	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe	83
PID 1252 wrote to memory of 3572	1252	8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe	83
PID 3572 wrote to memory of 2976	3572	Dmgbnq32.exe	84
PID 3572 wrote to memory of 2976	3572	Dmgbnq32.exe	84
PID 3572 wrote to memory of 2976	3572	Dmgbnq32.exe	84
PID 2976 wrote to memory of 4780	2976	Ddakjkqi.exe	85
PID 2976 wrote to memory of 4780	2976	Ddakjkqi.exe	85
PID 2976 wrote to memory of 4780	2976	Ddakjkqi.exe	85
PID 4780 wrote to memory of 4052	4780	Dkkcge32.exe	86
PID 4780 wrote to memory of 4052	4780	Dkkcge32.exe	86
PID 4780 wrote to memory of 4052	4780	Dkkcge32.exe	86
PID 4052 wrote to memory of 2400	4052	Deagdn32.exe	87
PID 4052 wrote to memory of 2400	4052	Deagdn32.exe	87
PID 4052 wrote to memory of 2400	4052	Deagdn32.exe	87
PID 2400 wrote to memory of 1180	2400	Dgbdlf32.exe	88
PID 2400 wrote to memory of 1180	2400	Dgbdlf32.exe	88
PID 2400 wrote to memory of 1180	2400	Dgbdlf32.exe	88

C:\Users\Admin\AppData\Local\Temp\8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe
"C:\Users\Admin\AppData\Local\Temp\8f27e29b73f7164ed6e39238245e9b435b422285dccaad8ca9f09c9dc37bd551N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\Dmgbnq32.exe
  C:\Windows\system32\Dmgbnq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\Ddakjkqi.exe
    C:\Windows\system32\Ddakjkqi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\Dkkcge32.exe
      C:\Windows\system32\Dkkcge32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 404
        8⤵
        Program crash
        
        PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1180 -ip 1180
1⤵
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
80KB

MD5
405fecc354043b59daab7d7333086dcd

SHA1
fc8f31280f6b0e3357d966b340a4c44f8a3a90a3

SHA256
d43e913dfd96d72d8a7e0ba747bc1078150967481186052aeb7f2698dd060449

SHA512
b297b7322efc2a722b062612065571070cc373c1a227f92b5bc7ef07a11c249101318ec38e94beefa3cb5fe81906cf5eb29179f18835d223046f1ef62c56c1eb

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
80KB

MD5
d10f65d5e99392642a326c190d95c6d3

SHA1
49b3df8952c9ba9170bd85f9ba163e6696d55c12

SHA256
d10c1d9288ee06a29fa49d3b607771dda8af40d85113d5f58e286d32e9b333bc

SHA512
827494eef908befd728d824ff1f381c5edfea87961f603a68c59bddcbd31592facd6815f01eb062c03406294e51cda6252be050416aeeeb907babd3e15e5885c

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
80KB

MD5
34e3a94467b845f975c6779ba36a1b10

SHA1
113cbe63e0f5317bec1b38c0e8df2bf956160e4e

SHA256
2048fce6aa17d7ed0bc7a60c110ad5d68400176ab575e2ab9844874e725552a7

SHA512
6df63688be5a912724d9483f011de2a8fe7f6805effeefcf93e208869f8241afe0513b7c7069f48a504d77c9a0bbce94fbf99c09493298a9127af24ad78b365a

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
80KB

MD5
7cb55eae7436664f8fcaafe9fec0c196

SHA1
db8dff30fdd516a08f319635160942b74b1de071

SHA256
d94e75a86bc7a6d25a20783f22dcd3030cae0f09345d0ce47f997c95e5c6724e

SHA512
16fbb8216c6bdb475c5f3570bee9d234cf58a9361a03f1f20f8f75a27a476c44cbc62f99485fda2e40e4e98b5a996a4812e545b1e2673491a52581b8429ecaf5

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
80KB

MD5
81070876690762b8242350b489284f8d

SHA1
3ab7cb3743cb435b2df950a0b68e433aceb00378

SHA256
f904302804cb6d434cecf1b375ab5878f4ef048f393f42a62302293a7c31826c

SHA512
7d37e70769dc95f1a7a1b9ca19f833b1404930c443017a69a41274a1f1387dcc651bba2be7a13414ec6b87cb5eb65fb7b64c12fe52a61ca9899221546da524b6

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
197868aae4ed3f4f24e8245c184d5efd

SHA1
45582bb592f4350e26c43211fcfaa3afa6282c69

SHA256
7295282e874ea715c3f336bb380e363f732cf07b638bf596d6c1bd08c854dc1c

SHA512
55dc197a7dd4990212e30633cf8ae08a95556890c15946edd0921f8dcde224ad9a6604b2a4b1068039a06b66bfe8057d20f39506f2f9a91b747e79778c92ef9f

Download Submit
memory/1180-50-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1180-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1252-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1252-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1252-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2400-51-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2400-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2976-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2976-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3572-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3572-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4052-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4052-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4780-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4780-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads