berbew | afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Size

85KB
MD5

a16c2a3acd3cb3d77a3771c0a0f003f7
SHA1

2c181395b2511974f786138815f22f2e005d8cbe
SHA256

afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2
SHA512

d7eebca3b658648a8c7ca0de16916488b324e247974b4d65c0ad29bda0daba783ab31a3006878a754a1c15a007bbbb2b518ed8bdde1c6e64388ccf5812be2eb1
SSDEEP

1536:f64mODOs64iWwzN04C0PiGzfHu51G5YclO7uXcNvvm5yw/Lb0OUrrQ35wNBJ:yXe64yN0nM5P2E5YX7usluTXp6J

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 6 IoCs

pid	Process
2236	Bonoflae.exe
2464	Bdkgocpm.exe
2704	Bmclhi32.exe
2500	Bhhpeafc.exe
1092	Cdoajb32.exe
2164	Cacacg32.exe

Loads dropped DLL 16 IoCs

pid	Process
2848	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
2848	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
2236	Bonoflae.exe
2236	Bonoflae.exe
2464	Bdkgocpm.exe
2464	Bdkgocpm.exe
2704	Bmclhi32.exe
2704	Bmclhi32.exe
2500	Bhhpeafc.exe
2500	Bhhpeafc.exe
1092	Cdoajb32.exe
1092	Cdoajb32.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bhhpeafc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2368	2164	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2236	2848	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe	30
PID 2848 wrote to memory of 2236	2848	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe	30
PID 2848 wrote to memory of 2236	2848	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe	30
PID 2848 wrote to memory of 2236	2848	afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe	30
PID 2236 wrote to memory of 2464	2236	Bonoflae.exe	31
PID 2236 wrote to memory of 2464	2236	Bonoflae.exe	31
PID 2236 wrote to memory of 2464	2236	Bonoflae.exe	31
PID 2236 wrote to memory of 2464	2236	Bonoflae.exe	31
PID 2464 wrote to memory of 2704	2464	Bdkgocpm.exe	32
PID 2464 wrote to memory of 2704	2464	Bdkgocpm.exe	32
PID 2464 wrote to memory of 2704	2464	Bdkgocpm.exe	32
PID 2464 wrote to memory of 2704	2464	Bdkgocpm.exe	32
PID 2704 wrote to memory of 2500	2704	Bmclhi32.exe	33
PID 2704 wrote to memory of 2500	2704	Bmclhi32.exe	33
PID 2704 wrote to memory of 2500	2704	Bmclhi32.exe	33
PID 2704 wrote to memory of 2500	2704	Bmclhi32.exe	33
PID 2500 wrote to memory of 1092	2500	Bhhpeafc.exe	34
PID 2500 wrote to memory of 1092	2500	Bhhpeafc.exe	34
PID 2500 wrote to memory of 1092	2500	Bhhpeafc.exe	34
PID 2500 wrote to memory of 1092	2500	Bhhpeafc.exe	34
PID 1092 wrote to memory of 2164	1092	Cdoajb32.exe	35
PID 1092 wrote to memory of 2164	1092	Cdoajb32.exe	35
PID 1092 wrote to memory of 2164	1092	Cdoajb32.exe	35
PID 1092 wrote to memory of 2164	1092	Cdoajb32.exe	35
PID 2164 wrote to memory of 2368	2164	Cacacg32.exe	36
PID 2164 wrote to memory of 2368	2164	Cacacg32.exe	36
PID 2164 wrote to memory of 2368	2164	Cacacg32.exe	36
PID 2164 wrote to memory of 2368	2164	Cacacg32.exe	36

C:\Users\Admin\AppData\Local\Temp\afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe
"C:\Users\Admin\AppData\Local\Temp\afd249af7f0b15f3845c3cc6e69542cfdfd8af35d5013bb399bd6038504f1fa2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Bonoflae.exe
  C:\Windows\system32\Bonoflae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\Bdkgocpm.exe
    C:\Windows\system32\Bdkgocpm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\Bmclhi32.exe
      C:\Windows\system32\Bmclhi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 140
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
85KB

MD5
3b59b8e906217ca12d5ea1ee29a8c41b

SHA1
ed83d1c92586abf11aea95e22ee1e2c629251100

SHA256
e7c5f874390147c6f3e73a2bc78399770130d254d78fc0fabac3b67b41d422ea

SHA512
787c41dcfdb85a313e9909dd998be45ff9b010054481990f7c288f655260e0e4ddb570d4fd1c5c8e95623756ba6ceac3b117894f12caec0cf57ef4d3d912143e

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
85KB

MD5
6d3453e02cd3e7ae14e480954b541ca9

SHA1
dbd1df2ccf664446b9faa2c4738b7e820f033915

SHA256
f06cd64451ba7d7eff506fa603f3bc6c7a5d965cea230c6b7491a139fb2039c7

SHA512
a3025630d636a17d36a254796bf6d20149a7f12f31c432ed97969a2c41f5538dbd11665362084a0c0473866ea987ee4121852fe193f2b9ece9d598ac997d0302

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
85KB

MD5
a74e58e02d9472c90a2026f878fc7d22

SHA1
b4293d3706461755ea09484f883c8073b7932cb6

SHA256
543cd628f33291da1f58a306a7d2c7824fed592c8bdc188c8dd6ff60e5ba1f61

SHA512
1741b2d3bfbffd9743f56a9f5c19427057a5f86df7eaad9534d8c5d51a30656947abcdd33155f04167f64b19f143189bdd2e3413a04ad170e580f679fa4034e1

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
85KB

MD5
d857b332aca972f0d44f00ba57f629f5

SHA1
50dd83b9c425d7846a0e02332f70e3a7215cd09d

SHA256
98315f50a7ea3ae9a7c37725e843f18804e08d500e9704bee8c8fc07602cad6c

SHA512
cfa60420e90d4fe0946e1d72eb4115e32a34d7aad4ffdbd5ac0506f55a7a50e036cebf636f5e6c52ee29efa5d4bc9c5c5fc6cfe6260671c14888d04c4518c961

Download Submit
\Windows\SysWOW64\Bmclhi32.exe

Filesize
85KB

MD5
086b36c9e2864e193fad353f489466b9

SHA1
f3e4e0a078f38b8dfa634b5a49307654fc11d975

SHA256
255d7d573944d7810ae777287afbef97ad8a1d2ade024599cf9d4206543f91b5

SHA512
7f1e80c3a7052c826a853f0a94821d4eaed1d7b442abf2ce038350c8df9ed68a8716461eeaccf1e2e137afc6e20be8f2e26785dc6032347251a75ce921124984

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
85KB

MD5
8fda9fe6b9f2364fb66ce4e2a2f21f45

SHA1
abe8c06867fed737e55b15293ae695cc642ac2da

SHA256
88c9b9972e0994066daf30db1338a95abae702c9614a2a9860b23fffd02079ba

SHA512
33afbf99aa6b9dd5eebf56bb3dc1b8cbe875084a200360e493a6a0bdc608aa0b5c77b44f8ad152a5f34a0241d30825c178211a61dce64fc29055499b2e85d703

Download Submit
memory/1092-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-26-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2464-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-35-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2464-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-62-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2500-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-53-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2704-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-7-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2848-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads