berbew | a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
Size

74KB
MD5

b326ed69c76644a2acad381668be7110
SHA1

6dc0cd02ad41e59942829c6d5fccd95395945254
SHA256

a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230
SHA512

f0d6825af7601f1b5eb7a5f6858ee1b34140a74d40141c130de11be8dc66722d5fa0b70b3d16cb9628614f51db30d0efe9ac85ecdfeb55caca3af76ddd17c4f8
SSDEEP

1536:A8Xsbe+BEOnZglWrVfP8K/Xmg6wFvjT/3ierXT7/LsieOm:AFbX9ZGgX8GXzL3rXTbm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 6 IoCs

pid	Process
2880	Nmpnhdfc.exe
2808	Ndjfeo32.exe
2632	Nigome32.exe
2392	Npagjpcd.exe
540	Nenobfak.exe
1988	Nlhgoqhh.exe

Loads dropped DLL 16 IoCs

pid	Process
2888	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
2888	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
2880	Nmpnhdfc.exe
2880	Nmpnhdfc.exe
2808	Ndjfeo32.exe
2808	Ndjfeo32.exe
2632	Nigome32.exe
2632	Nigome32.exe
2392	Npagjpcd.exe
2392	Npagjpcd.exe
540	Nenobfak.exe
540	Nenobfak.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmnppf32.dll	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nenobfak.exe
File created	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Kjbgng32.dll	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Nigome32.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Npagjpcd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2124	1988	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjfeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nenobfak.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2880	2888	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe	30
PID 2888 wrote to memory of 2880	2888	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe	30
PID 2888 wrote to memory of 2880	2888	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe	30
PID 2888 wrote to memory of 2880	2888	a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe	30
PID 2880 wrote to memory of 2808	2880	Nmpnhdfc.exe	31
PID 2880 wrote to memory of 2808	2880	Nmpnhdfc.exe	31
PID 2880 wrote to memory of 2808	2880	Nmpnhdfc.exe	31
PID 2880 wrote to memory of 2808	2880	Nmpnhdfc.exe	31
PID 2808 wrote to memory of 2632	2808	Ndjfeo32.exe	32
PID 2808 wrote to memory of 2632	2808	Ndjfeo32.exe	32
PID 2808 wrote to memory of 2632	2808	Ndjfeo32.exe	32
PID 2808 wrote to memory of 2632	2808	Ndjfeo32.exe	32
PID 2632 wrote to memory of 2392	2632	Nigome32.exe	33
PID 2632 wrote to memory of 2392	2632	Nigome32.exe	33
PID 2632 wrote to memory of 2392	2632	Nigome32.exe	33
PID 2632 wrote to memory of 2392	2632	Nigome32.exe	33
PID 2392 wrote to memory of 540	2392	Npagjpcd.exe	34
PID 2392 wrote to memory of 540	2392	Npagjpcd.exe	34
PID 2392 wrote to memory of 540	2392	Npagjpcd.exe	34
PID 2392 wrote to memory of 540	2392	Npagjpcd.exe	34
PID 540 wrote to memory of 1988	540	Nenobfak.exe	35
PID 540 wrote to memory of 1988	540	Nenobfak.exe	35
PID 540 wrote to memory of 1988	540	Nenobfak.exe	35
PID 540 wrote to memory of 1988	540	Nenobfak.exe	35
PID 1988 wrote to memory of 2124	1988	Nlhgoqhh.exe	36
PID 1988 wrote to memory of 2124	1988	Nlhgoqhh.exe	36
PID 1988 wrote to memory of 2124	1988	Nlhgoqhh.exe	36
PID 1988 wrote to memory of 2124	1988	Nlhgoqhh.exe	36

C:\Users\Admin\AppData\Local\Temp\a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe
"C:\Users\Admin\AppData\Local\Temp\a8964451f23af0dec9b06a57f43260a0c985ebf69b52be72d9c6aea663680230N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\Nmpnhdfc.exe
  C:\Windows\system32\Nmpnhdfc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Ndjfeo32.exe
    C:\Windows\system32\Ndjfeo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\Nigome32.exe
      C:\Windows\system32\Nigome32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 140
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mehjml32.dll

Filesize
7KB

MD5
35811b658a763dfceb4098b8c1b7ce9c

SHA1
4556805408c15960893caf76e95c509aee914e2e

SHA256
57527077da3a485085acd08c331e0dfa76108e42bc42f82a13b54387db27a9c4

SHA512
13117423a1228cf65854b78dae913fb1acdbaf6a084e44921b643e3beec3df7f7d918d9f06a14d3e4a007b20c778a14c89dc6aa87db04a5c41b0686259e15c94

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
74KB

MD5
a299adfa33df689b313558143c193d23

SHA1
70b54fa1f66462def58ed85a6e7e3eade391aea4

SHA256
deae3e08471ce6736d3b9b2f77b22abfcbc837115cf42c6ed05ed00f0fc0eb7e

SHA512
d0e38354217fd44e1594164d8a94a6e70f27dec2095d15840f3313241c760e9335f75ded2aab6895a60bfa293d70178cb8f9ff3f6f8596e2b80ff392920c5ce6

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
74KB

MD5
45feb522187c13cb492fb648ffcbe380

SHA1
fc878c93cefbd49f4e0140a887d4f390ec666abf

SHA256
7ef248c46ffdf632b919f7f09ec5b20df104b9e0a3d6508d6a4f9a217d461d39

SHA512
979d5d746d70df2fa3d07a866af24bfda021e636b5e793cb6d314bfa6917573f1736adf86925feeaf4dedb25bcd57071688e2407bbb6f020b9362cae9ad506ac

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
74KB

MD5
b4f2093c5c7ef821d9a53801bf0ef7b8

SHA1
60addb177bf9627974080490f07a38d56f6c9c92

SHA256
b7da88d1e016d1c4670ddd3fac98a37df0ef10ddcad1996300dac316f80ba723

SHA512
ea103552e530168f5f0cf962ac2488f52b9840a91b58e3be565db5c6d2e32d069d659d64b809fe26de5ef7206010d2f7e9bf2294390bbd7170ea3f4ab5d799cf

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
74KB

MD5
34229c3baef5dcf9a82523a26355bc92

SHA1
8d9dd3569594c36d3496f6f690796908bb1935e3

SHA256
dffd2a086b039663146b6ab6b8c5f2915c19f3db10182ea1debd70098baf48eb

SHA512
473ffc0182eadeb2bc848b0b3fd4c0129e19066de9f7697ecf567095effb001484f1a7927cad4c4101ff9a32be014a128d222681e62433e93cc1a806180a1c5d

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
74KB

MD5
b6ee31f2c3f1ae9b328ea52a68a78803

SHA1
bcb7eb9d15d8e32eae1a8c714b987c079edc1cf1

SHA256
2199dbfb53d3d4ab19a78d6c9c923423e650bea9d4fc4c480c4b13e23ec8cd39

SHA512
14440d75fbadb61999abcbe69b4ff50a1d28a962ae11cbc4fefbe36c24aff28f9bb868a84d19b2e01ad492c2df56619e55f207158197705af33e5a4bd47a77a6

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
74KB

MD5
1b249c3c724b06b82040e8c5b0407e37

SHA1
a42290041073c21897d357bdbbba1ea305998826

SHA256
4abab3bb587c7281b87efa90a2865f87cfce632753715cfb6917ab44418c9652

SHA512
77664d3eba581e38cea553decfdbe0ab6119f69f85f0a45a2a9a6ae598b5b015ce4d58a6be71c17f3d33b2c1516d2dd8429066ba69f610273fc133ee212c889e

Download Submit
memory/540-86-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1988-91-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1988-81-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2392-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2392-89-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2392-62-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2632-53-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2632-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2808-40-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2808-35-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2808-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2808-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2880-90-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2880-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2888-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2888-11-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2888-12-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2888-92-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads