berbew | 8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5

General

Target

8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Size

163KB
MD5

36a4d3344a063ac87063ffdf1eeafff4
SHA1

f4f42c3953caf6af2aaf0182588f3af6e67cf737
SHA256

8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5
SHA512

a4f99eebde811f5f4d3c1f87b541e4474f779bcab278b13b56476c8cac7776aedc2fe361584f7f1086c7663227f7971e80589c663a666ac82cde30acb7c360be
SSDEEP

1536:PoKM1jTM/C4WkZ6zfQYDFlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUA:qj54WkZ6LQCFltOrWKDBr+yJbA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 5 IoCs

pid	Process
1760	Aoagccfn.exe
2812	Bdqlajbb.exe
2740	Bmnnkl32.exe
2676	Cfmhdpnc.exe
2708	Dpapaj32.exe

Loads dropped DLL 13 IoCs

pid	Process
2980	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
2980	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
1760	Aoagccfn.exe
1760	Aoagccfn.exe
2812	Bdqlajbb.exe
2812	Bdqlajbb.exe
2740	Bmnnkl32.exe
2740	Bmnnkl32.exe
2676	Cfmhdpnc.exe
2676	Cfmhdpnc.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Dqaegjop.dll	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	2708	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1760	2980	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe	31
PID 2980 wrote to memory of 1760	2980	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe	31
PID 2980 wrote to memory of 1760	2980	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe	31
PID 2980 wrote to memory of 1760	2980	8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe	31
PID 1760 wrote to memory of 2812	1760	Aoagccfn.exe	32
PID 1760 wrote to memory of 2812	1760	Aoagccfn.exe	32
PID 1760 wrote to memory of 2812	1760	Aoagccfn.exe	32
PID 1760 wrote to memory of 2812	1760	Aoagccfn.exe	32
PID 2812 wrote to memory of 2740	2812	Bdqlajbb.exe	33
PID 2812 wrote to memory of 2740	2812	Bdqlajbb.exe	33
PID 2812 wrote to memory of 2740	2812	Bdqlajbb.exe	33
PID 2812 wrote to memory of 2740	2812	Bdqlajbb.exe	33
PID 2740 wrote to memory of 2676	2740	Bmnnkl32.exe	34
PID 2740 wrote to memory of 2676	2740	Bmnnkl32.exe	34
PID 2740 wrote to memory of 2676	2740	Bmnnkl32.exe	34
PID 2740 wrote to memory of 2676	2740	Bmnnkl32.exe	34
PID 2676 wrote to memory of 2708	2676	Cfmhdpnc.exe	35
PID 2676 wrote to memory of 2708	2676	Cfmhdpnc.exe	35
PID 2676 wrote to memory of 2708	2676	Cfmhdpnc.exe	35
PID 2676 wrote to memory of 2708	2676	Cfmhdpnc.exe	35
PID 2708 wrote to memory of 2576	2708	Dpapaj32.exe	36
PID 2708 wrote to memory of 2576	2708	Dpapaj32.exe	36
PID 2708 wrote to memory of 2576	2708	Dpapaj32.exe	36
PID 2708 wrote to memory of 2576	2708	Dpapaj32.exe	36

C:\Users\Admin\AppData\Local\Temp\8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe
"C:\Users\Admin\AppData\Local\Temp\8be917e69fb86b348fd99b2dace7077e897ec0c62b5a65e7046f3f0a32fe97e5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\Aoagccfn.exe
  C:\Windows\system32\Aoagccfn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\Bdqlajbb.exe
    C:\Windows\system32\Bdqlajbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Bmnnkl32.exe
      C:\Windows\system32\Bmnnkl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 144
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
163KB

MD5
3ee5b9ef26868fc5716a2c5e6e237841

SHA1
ec085a52d5dc0a8f16c94ce1eab0129fe5cf0ba1

SHA256
a51a81c454e6ea19ffc89f1425ef615fcfc8bb2e9ba6a2681993c2fc0944d6f1

SHA512
f39e40d6da780302778871124e593af734c45a87fa1955b294778a5107e02040351dc4ea2ceb0e7a6ff6b89d74aee6d22811a967ff5e33bcc6b429dbfb2b7da6

Download Submit
\Windows\SysWOW64\Bdqlajbb.exe

Filesize
163KB

MD5
693b2c4cd91912301584386ddc27b0bf

SHA1
a73289272692256193b2461047f590655dc6acfa

SHA256
62d26767d9153d563b197f0fbb035337e4ac910643270ee68cd46c75a8ab996b

SHA512
8eb328aa5e4d4d21397b84df75fb002298fb8e9d70aa625ceefc757d64cbe52a7a6b923526fec0fc5ebb96e67e999fdabd7c3700c52a895c42632c0873b20148

Download Submit
\Windows\SysWOW64\Bmnnkl32.exe

Filesize
163KB

MD5
3606f2d67629f44cf1f49d2009264520

SHA1
83fb937d6b07d7e5240eabbdb935967222874b54

SHA256
b066d466e2b7544a754ac6be8609767741f455f91f12a20f2a65729b90d07efe

SHA512
4ccda115af25318c67f7e2a2b05258c508fd62a893a7f1ad9bccb06f30e780757a66e8a09325f0a34b949b087fb7c59381d3c80b6d9693697ca9e2d00a4b3d0d

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
163KB

MD5
444e43078f864a1cf231e437c09c725e

SHA1
9c126af8ede79d5c1a0bedab4bb67664cf1dbb1c

SHA256
eec88b302ea33a17c6243f993142f02c5baf05299dfcc9c48b9b770620300c54

SHA512
9574f6b745b1621a50b09006391c3e861c4e85fac6edd23ba275a722f70e93cf98a2672ebd7588c63ec564fc66f0a0de8dde4423210f58921f9bdbc769f8d309

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
163KB

MD5
e2ebce06ea67eb24453460ada792a66d

SHA1
e7e5d31940ec0f0454f403ddd4f7092674f04fff

SHA256
7ea99a90bbc260599e0536d233290e574f98d0a28208c7e3a22ce532b651033d

SHA512
f8394d591897e20564d28a18ba398da2ec5b2c0ddfa856e94773f074f26ba3f24e1e2f83921ccd3282eaa1ed9cd5b3a0b948ca7533cea4f398d8b9852d2be8f8

Download Submit
memory/1760-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1760-27-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/1760-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1760-21-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/1760-82-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2676-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2676-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2676-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2676-69-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2676-68-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2708-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-85-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-49-0x0000000001FF0000-0x0000000002043000-memory.dmp

Filesize
332KB

Download
memory/2740-84-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-54-0x0000000001FF0000-0x0000000002043000-memory.dmp

Filesize
332KB

Download
memory/2740-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2980-11-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/2980-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2980-87-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads