87200fc55cb6bcd8298d32d503151d503863853de591167ef4f8a55b1b8926c5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 03:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e7824a56d1207282e27a3938162552c0_NEIKI.exe
Size

404KB
MD5

e7824a56d1207282e27a3938162552c0
SHA1

8a6af981962596d259992c560466e76f45ffbf6e
SHA256

87200fc55cb6bcd8298d32d503151d503863853de591167ef4f8a55b1b8926c5
SHA512

7f0c680ae1a4715676e4582343d16bf915e0f64fe1f2b429e47b6e2de0e649fa467dc3da1bfcb1116973b77b23fb61a3615e31de8af12179261356314e26764f
SSDEEP

12288:EP+XXmYgNjwcMpV6yYP4rbpV6yYPg058KS:EKtgNjwcMW4XWleKS

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e7824a56d1207282e27a3938162552c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e7824a56d1207282e27a3938162552c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe

Executes dropped EXE 7 IoCs

pid	Process
3772	Mnfipekh.exe
1672	Mpdelajl.exe
4936	Mcbahlip.exe
4080	Ncgkcl32.exe
1860	Nkncdifl.exe
3364	Nnolfdcn.exe
3504	Nkcmohbg.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	e7824a56d1207282e27a3938162552c0_NEIKI.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	e7824a56d1207282e27a3938162552c0_NEIKI.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	e7824a56d1207282e27a3938162552c0_NEIKI.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	3504	WerFault.exe	84

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e7824a56d1207282e27a3938162552c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e7824a56d1207282e27a3938162552c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	e7824a56d1207282e27a3938162552c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	e7824a56d1207282e27a3938162552c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	e7824a56d1207282e27a3938162552c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e7824a56d1207282e27a3938162552c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 3772	948	e7824a56d1207282e27a3938162552c0_NEIKI.exe	78
PID 948 wrote to memory of 3772	948	e7824a56d1207282e27a3938162552c0_NEIKI.exe	78
PID 948 wrote to memory of 3772	948	e7824a56d1207282e27a3938162552c0_NEIKI.exe	78
PID 3772 wrote to memory of 1672	3772	Mnfipekh.exe	79
PID 3772 wrote to memory of 1672	3772	Mnfipekh.exe	79
PID 3772 wrote to memory of 1672	3772	Mnfipekh.exe	79
PID 1672 wrote to memory of 4936	1672	Mpdelajl.exe	80
PID 1672 wrote to memory of 4936	1672	Mpdelajl.exe	80
PID 1672 wrote to memory of 4936	1672	Mpdelajl.exe	80
PID 4936 wrote to memory of 4080	4936	Mcbahlip.exe	81
PID 4936 wrote to memory of 4080	4936	Mcbahlip.exe	81
PID 4936 wrote to memory of 4080	4936	Mcbahlip.exe	81
PID 4080 wrote to memory of 1860	4080	Ncgkcl32.exe	82
PID 4080 wrote to memory of 1860	4080	Ncgkcl32.exe	82
PID 4080 wrote to memory of 1860	4080	Ncgkcl32.exe	82
PID 1860 wrote to memory of 3364	1860	Nkncdifl.exe	83
PID 1860 wrote to memory of 3364	1860	Nkncdifl.exe	83
PID 1860 wrote to memory of 3364	1860	Nkncdifl.exe	83
PID 3364 wrote to memory of 3504	3364	Nnolfdcn.exe	84
PID 3364 wrote to memory of 3504	3364	Nnolfdcn.exe	84
PID 3364 wrote to memory of 3504	3364	Nnolfdcn.exe	84

C:\Users\Admin\AppData\Local\Temp\e7824a56d1207282e27a3938162552c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\e7824a56d1207282e27a3938162552c0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\Mnfipekh.exe
  C:\Windows\system32\Mnfipekh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\Mpdelajl.exe
    C:\Windows\system32\Mpdelajl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\Mcbahlip.exe
      C:\Windows\system32\Mcbahlip.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
      - C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        8⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 412
        9⤵
        Program crash
        
        PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3504 -ip 3504
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jkeang32.dll

Filesize
7KB

MD5
31d91a28c223798e8228c513d664b925

SHA1
7859ffe5c768fd299677fbcb0cc6bcae19c9d0a4

SHA256
a11af505a92dc1157da5a5d6820f006bd20adb11a8080499bc9e86635d5c9895

SHA512
25c0134a938af78567983144d55c3736a5e9043c87fc138b93bc24c1a47660750e26757a2b9eda5b42ee20fd73c2c4a290cd97504d8b7e869814ff6ca28ea403

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
404KB

MD5
58d8fba12759334ccf62d37ebdf8a013

SHA1
7db05b36896dd902293f682ab2e1e7f4d7ada72c

SHA256
68b9b8d03d07e14a4538b99d44cf0282d5f87482a5919e265682feba61d9d8ee

SHA512
341e6d21bd92891a59dfd61118a355f7868b0627618b6443e6665fd0ce71141fdfada7cf574e65d09123ae8ffae6c4504473d4ddc3d1aed581d889c42df27393

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
404KB

MD5
748d01d60adc013b2fdb688fa4c77dca

SHA1
4687720088d09f78f077c62fada1a1093eaccc40

SHA256
f94b3d1d049d0d723209b30851cd9e883323357ce55ee2835fc403c58424d67e

SHA512
90155a8af9729f9a0657639fd84093150e372e51910a501eccc0ec35050ec60d446478c143f2700bd9d079868927da6aa29a80a1ced55641615f46a560e85ca1

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
404KB

MD5
b7b060596a8465e64b919485112e2f04

SHA1
f09161194fc8f95877631507ff56557b1f5d6a03

SHA256
4eecc2f613525092dee30eab044c0f532f9e14fc85c50e353405756aef96902a

SHA512
c633f6b969fb3d7e0336d8fd4ce2d676be394fa182ba9b2be79cd287879da3ef2e5b2903b2aca1f20d4c76ea266ddd1db8e3a1d5d0515bf01a237e8ad6fe7b1e

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
404KB

MD5
4be02c7b3881341a426586cdae6e7ca0

SHA1
c46b141383bcb0ffcc6bcaa1ab483bde78548d7d

SHA256
d66d549bd931460462c3894714aebf550101368d1f2f4b2208b01baf0e3121f4

SHA512
8ec791f412f530b55371cd2c432facb73b2058b17b9452730733cfd552b09c1305b8f809d41837ba41f39bf2b5cf017a4f658b2571ff64de7bc3bdf7a201ef59

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
404KB

MD5
03764531ca700ad3d5490ab49e09428d

SHA1
578ba2d62d09dcd8c38a8a63d633faa90deaa9a1

SHA256
e4ba841e10f208eb3965d0a54f117ffd262bbbb903b019a44b233affb3010422

SHA512
cab6cdd839c6c5ec5bb4d23be62aeec978ac74558d8a441431ff2184e4fe0f4e00220bc741e00f457020432db6e3cd5b400419f465dcdb035160b826f42a162e

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
404KB

MD5
6c07ad575c9159ed63ccd5d25fdf2965

SHA1
b9983dc1b9c16eb938a93ab4384da739e9d76c80

SHA256
9c0ff50c4438f389bec758f1abc50800e5132090bd0e366cbf782ed215baa997

SHA512
1b0df0a37e03d8515ca5da2eb1d61711e8ccac414e5cbc2b2478cca962b2f0910e38bbc073be4a368639585e0162f05f94a6743827e4de92dc6e23529af01914

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
404KB

MD5
d8b2cdb1938ed969915c1081bc39b6dc

SHA1
d0a2b6c8890a132b991164ce1bf88b1092a6e77e

SHA256
b1101dff105b1d4e5b1034b0667aefb7394ea580f1bd37651c153a9c9f172b23

SHA512
c7f76f0dd9f0b57324f8dd7cbf20cfefb20bd091eb9ccb0ffd6b363baa9a6b5d5d0916910793ff8c8353ce0b2af82f9f4b90e4331d36e1751477bec252e47f41

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
404KB

MD5
0a9196b154afe4043a70e6b680c5ad4f

SHA1
9c5e02d4a24d054a612ecdc0ec57fb65850af15d

SHA256
c3b0f276960eb273f9923ab6292cdfde8a12f86a983bc4384e428e634b928d39

SHA512
a9f7783a7b7ec7bbdcb3577848ef41000fc4208bf3af5124e826fa9e9b531c45f9c5c75a1ab96fa58d83fc090364b0ab28c4d8e13221ee58db94f864b3da8c58

Download Submit
memory/948-62-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-58-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-61-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads