26d5db82f53c68d1c73f991f0356c37b8ab6b20aa97720905339aa1da8ad6178

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
Size

1.1MB
MD5

c3499dfa80160455a203e6a158a8e470
SHA1

8c5862fe7133ed8d5963107724ff38127474a200
SHA256

26d5db82f53c68d1c73f991f0356c37b8ab6b20aa97720905339aa1da8ad6178
SHA512

4a9a59597f64a552f547bc28098a515539461d2cc66ce07db289aa0bbc9d839b2d4efa79524a4a7fdca5bbf593df65d47e713ffa13556112acc1cbb20ea63a6c
SSDEEP

24576:79TrQg5Wm0BmmvFimm0MTP7hm0BmmvFimm0HkEyDucEQX:79fQg5SiLi0kEyDucEQX

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe

Malware Dropper & Backdoor - Berbew 15 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000800000002328e-7.dat	family_berbew
behavioral2/files/0x0007000000023429-15.dat	family_berbew
behavioral2/files/0x000700000002342b-23.dat	family_berbew
behavioral2/files/0x000700000002342d-30.dat	family_berbew
behavioral2/files/0x000700000002342f-38.dat	family_berbew
behavioral2/files/0x0007000000023431-46.dat	family_berbew
behavioral2/files/0x0007000000023433-54.dat	family_berbew
behavioral2/files/0x0009000000023421-62.dat	family_berbew
behavioral2/files/0x0007000000023436-70.dat	family_berbew
behavioral2/files/0x0007000000023438-78.dat	family_berbew
behavioral2/files/0x000700000002343a-87.dat	family_berbew
behavioral2/files/0x000700000002343c-95.dat	family_berbew
behavioral2/files/0x000700000002343e-104.dat	family_berbew
behavioral2/files/0x0007000000023440-112.dat	family_berbew
behavioral2/files/0x0007000000023442-120.dat	family_berbew

Executes dropped EXE 15 IoCs

pid	Process
744	Kdcijcke.exe
656	Kagichjo.exe
640	Kpjjod32.exe
60	Kcifkp32.exe
3448	Ldmlpbbj.exe
4672	Lpfijcfl.exe
3292	Mjqjih32.exe
2712	Mdfofakp.exe
1956	Mnapdf32.exe
2572	Mncmjfmk.exe
3320	Njljefql.exe
2800	Nnjbke32.exe
5036	Nkncdifl.exe
5068	Njcpee32.exe
3892	Nkcmohbg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Njcpee32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4660	3892	WerFault.exe	99

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 744	348	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe	82
PID 348 wrote to memory of 744	348	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe	82
PID 348 wrote to memory of 744	348	c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe	82
PID 744 wrote to memory of 656	744	Kdcijcke.exe	83
PID 744 wrote to memory of 656	744	Kdcijcke.exe	83
PID 744 wrote to memory of 656	744	Kdcijcke.exe	83
PID 656 wrote to memory of 640	656	Kagichjo.exe	84
PID 656 wrote to memory of 640	656	Kagichjo.exe	84
PID 656 wrote to memory of 640	656	Kagichjo.exe	84
PID 640 wrote to memory of 60	640	Kpjjod32.exe	85
PID 640 wrote to memory of 60	640	Kpjjod32.exe	85
PID 640 wrote to memory of 60	640	Kpjjod32.exe	85
PID 60 wrote to memory of 3448	60	Kcifkp32.exe	86
PID 60 wrote to memory of 3448	60	Kcifkp32.exe	86
PID 60 wrote to memory of 3448	60	Kcifkp32.exe	86
PID 3448 wrote to memory of 4672	3448	Ldmlpbbj.exe	89
PID 3448 wrote to memory of 4672	3448	Ldmlpbbj.exe	89
PID 3448 wrote to memory of 4672	3448	Ldmlpbbj.exe	89
PID 4672 wrote to memory of 3292	4672	Lpfijcfl.exe	91
PID 4672 wrote to memory of 3292	4672	Lpfijcfl.exe	91
PID 4672 wrote to memory of 3292	4672	Lpfijcfl.exe	91
PID 3292 wrote to memory of 2712	3292	Mjqjih32.exe	92
PID 3292 wrote to memory of 2712	3292	Mjqjih32.exe	92
PID 3292 wrote to memory of 2712	3292	Mjqjih32.exe	92
PID 2712 wrote to memory of 1956	2712	Mdfofakp.exe	93
PID 2712 wrote to memory of 1956	2712	Mdfofakp.exe	93
PID 2712 wrote to memory of 1956	2712	Mdfofakp.exe	93
PID 1956 wrote to memory of 2572	1956	Mnapdf32.exe	94
PID 1956 wrote to memory of 2572	1956	Mnapdf32.exe	94
PID 1956 wrote to memory of 2572	1956	Mnapdf32.exe	94
PID 2572 wrote to memory of 3320	2572	Mncmjfmk.exe	95
PID 2572 wrote to memory of 3320	2572	Mncmjfmk.exe	95
PID 2572 wrote to memory of 3320	2572	Mncmjfmk.exe	95
PID 3320 wrote to memory of 2800	3320	Njljefql.exe	96
PID 3320 wrote to memory of 2800	3320	Njljefql.exe	96
PID 3320 wrote to memory of 2800	3320	Njljefql.exe	96
PID 2800 wrote to memory of 5036	2800	Nnjbke32.exe	97
PID 2800 wrote to memory of 5036	2800	Nnjbke32.exe	97
PID 2800 wrote to memory of 5036	2800	Nnjbke32.exe	97
PID 5036 wrote to memory of 5068	5036	Nkncdifl.exe	98
PID 5036 wrote to memory of 5068	5036	Nkncdifl.exe	98
PID 5036 wrote to memory of 5068	5036	Nkncdifl.exe	98
PID 5068 wrote to memory of 3892	5068	Njcpee32.exe	99
PID 5068 wrote to memory of 3892	5068	Njcpee32.exe	99
PID 5068 wrote to memory of 3892	5068	Njcpee32.exe	99

C:\Users\Admin\AppData\Local\Temp\c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c3499dfa80160455a203e6a158a8e470_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\SysWOW64\Kdcijcke.exe
  C:\Windows\system32\Kdcijcke.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\Kagichjo.exe
    C:\Windows\system32\Kagichjo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Windows\SysWOW64\Kpjjod32.exe
      C:\Windows\system32\Kpjjod32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
      - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        16⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 420
        17⤵
        Program crash
        
        PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3892 -ip 3892
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eqbmje32.dll

Filesize
7KB

MD5
5f5b200e98787f96e4d560feb2b19bf5

SHA1
5141f3816d00423eb620861d1036028048c2f781

SHA256
487290f0741fc40962fb5cc91cf31ca12050f127a37aa55c20222bd708c67c75

SHA512
c74a2cddd4237508791fa6a7bf33c7c2b73faaecf2cb4b5cb9906ebc9f1eccfafedd648192c94e01bdd696247a0922a99e7cb9865f132855d34a24734ab4a122

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
1.1MB

MD5
b260a996ae89a31dd99687e9178eba77

SHA1
a9cb4eadef2b00014c6f9ce22c1298629c163b89

SHA256
bebaab1dc82d55999f2438d6a5924cc638a781dad2a52fa09c954d47b9e36925

SHA512
7949f2a3c602153f0f8f9555568286dff86d56d518a86005ba9679737e1431e7724ab281373ee6d2b90b379bb76ecc79b8cc520643f4869019125d5a1a54be4c

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
1.1MB

MD5
9892be300daff4867a2b99af9a5ae489

SHA1
3bbc08055d7a8d92aa0f7b65cca7c9b8cc5f8aa6

SHA256
d4ab62ba8d980491cfaad4b834147c53d8ba14e348051fe6fbfb1e942dc276b3

SHA512
5f29eb62e2334cd654984e93510a255f087504f948e293ac47ae9649aff801a0d7a3d1a9af0fc50d831b9bababbbf186c09bcc512652548fe843140a41b20e68

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
1.1MB

MD5
c8738c04fc44f390359ff2e1ac1ff58d

SHA1
cc37cf1d937214a2fec89d07d89f0bb7f7fe7ae6

SHA256
6ddb17080c4d754b1802d1f205bff0b9963b59e0a7eccc7531b5f8e46dbb64d6

SHA512
d7cda89eb6b2d16ae09e0d54683feb63e71ba3c060072d52e11c0e01de2b22636b242518205c024fc2a545c8b7620be19d69d1e65d9424d6c72d68d651c090c2

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
1.1MB

MD5
1561d7d4ea390b24956488d2ac627d10

SHA1
a702317611e4b6d053f156cda1b6bcfd2d6b4b95

SHA256
9e54b8b1d6d3b36742e83edcf980b4c58fcb270d55918449b340efbab8cee8a5

SHA512
97e8dec415cd8535690647b5d5700d998bb906fe4e1add0cadbd15456b005410d7276b82f1f0e521ef43ba43f7083564c6095adb0ad7d095ed6f53cd6069e479

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
1.1MB

MD5
93ba40817e05339d8ff4df95f38690fb

SHA1
c13ad5a8a8e6403d26296e782492b3f694fcbda7

SHA256
699965b339b605ed389101e372ba31bdfe5bf8d43b64560e892ce1262b66f801

SHA512
151d88ec6b1c75343ed1248606fccd3322c62864cbdb99cd22cfc54a8f40a7634e796e31d92d0509d8794a2054a015668f55eae22c8a327ccf527aee6ae7606a

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
1.1MB

MD5
f3831b6073ed0b3c9918973e4d955127

SHA1
4f5b1cf525d9856082d9c3ed6a718d2cc88ee705

SHA256
7a6d8be983953cd9b0860951618b6cfdd460445789c31bcc94cffd250ab34947

SHA512
0836bfaf646f8e51aead06bc4afd530ea4b4d98f0551a93acf035fd207e23acc83444c4ba33b0bd98a8842c9c107dc84423d5447ed5668e95ae5eb6a7ce39ac4

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
1.1MB

MD5
3f441bc55cf424074d8c7928ee292d0a

SHA1
0a0287af35df20a7417ea58c107cafe4b3c8999f

SHA256
6ca69bcee34dea0ab31ca55e0006ea23b7c0e2f15e7e2558eaf6ab3b31294e59

SHA512
884243d41190191c6ab2e9186603d51cfe7a700dd4d85ed0cc825c87ea19e33492f5b5f1a34d94fe8070c96b261d64e34c75b28f05065e50c3dde18f8feb1a1a

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
1.1MB

MD5
3ffa5d42c59318b59057dcb8856d2584

SHA1
bfb19e6969aaeb7e74955ba1cb1f8ba4c62a1ef8

SHA256
d3de25382c38db035fa0c299e66d41cb7ec4a8b9978114fe5cc2e4d1b246fd50

SHA512
5ae247613c1e92fa0cf7dd18aad7c0c887bac45578d679af7139f093c4b1ef311233c36230c408a5d8cd399fffa1514bc8c5594791f8721d0b961b9b839313f3

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
1.1MB

MD5
8a064524d4b0d7e365e6a1274a37f1c4

SHA1
4ff576b80fd08c0e804757172c339dcbe2df4eda

SHA256
f377500daa98c34b1d40ea5086cf59673e06f32b2932e4bdfc9cb22188432468

SHA512
c7e4988efd82d40e0399c9c5a4d0548075ddd4daa729acf3798b056dd9e4f2c0eb9a049af4510d592dd5dd55dff7b5929d0810aa5cb924a336d9df3bbcf62dd0

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
1.1MB

MD5
4c2d0ea52733823030e1ed4cc64c0464

SHA1
33117d13a9d3ba595e49f1340556c52c93a7e9f5

SHA256
abe01d14384ac999cfc9404b3d730f2e1c6fb461ba7859e007f0e072bc05456d

SHA512
50e15d3c12dabb54671633177ae96c5888a3e41a83792fa279901081ea6cbea694cbdec058a974195cdb7b24d0a8ab8b61ac540f3b7ef22042eb7c434ef56f68

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
1.1MB

MD5
9f550540aca89dec1de6683457e96399

SHA1
4a568d915ebc3b3b1e60d1e7e80c1f6551bbfb01

SHA256
ebebd67a377a7592ea6d2f279b5a492a1fffedf531f54aecdd9b54d15a26bae1

SHA512
80f4e86a95991be63cdb7c1da468b787e3919f7c731e4335a97983b8a6f0722e8980e4f7e39106c1d3912fc1a049687e4c107eabc90395cfca82242907e835a5

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
1.1MB

MD5
34191a23d3816fad9677d2d71f5e2aa4

SHA1
d606304f8dc1b9a9fe22e0604266418366b7df46

SHA256
5fe8d16b83f65258bd9630835e41bfedc6ebe7609d77af096a66e61ee67d1a1e

SHA512
018de06f311a0ab27f92dc99df07c11123a08d60c0e47e2dd3551a3e3623789d63a3372fcea04b943b73b6b8f56ebccc0e2b2dd9420c836a8da7e6ee6d01b9e5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.1MB

MD5
4daf10ec73133441857c6ac2615e8a02

SHA1
9ff0118e7c0d560e93746de82791a3d8121aafb9

SHA256
e2a5a9a45d21d9b15366b44995efc8813ce863ae4c608024c0b4b2fb6cd65f06

SHA512
2732fac708caf36c1f15ffd4bbed2924660423623ddbd98e3e1b34e9af826fcd5dbdd5ed12e9fb27bff4015e8f486ac4a8c025f2df11e2509a03704e29b65bb4

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
1.1MB

MD5
cd36f7eacd39087a560db33def3c8d48

SHA1
c5389c8c8b5649c996423581cbe173d4c15e7cc8

SHA256
3bac9f4f128b7747eac7914955146c8447baf72f51e168c9372501b5c6dec737

SHA512
4999ea4bd49d47dd7868b8a54f53d9e732cba81698799e4ad3d335c80e0a62a337701a79cce84aa683bbcd2ee047afb0cfed029400f9adb8244edd60f92ab3dd

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
64KB

MD5
a32a29e01f0ee4e453ea8db73844d51d

SHA1
10c616bd6b687f7200cacaaaded443606eb8bf3d

SHA256
46c970774d3bf5a7041b0c4d7472c4bd320580d3d61f77170f6f08e1e78d9df9

SHA512
b12ff05da8dd3572fbfa5764771b65bc3c32c69be50b1595b320a1c89fdca22d662153a6ba24c0866365e914087c62f31f5050a5f805ea2adbff88c3014ffbfc

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
1.1MB

MD5
f3d18f9df18e990771851449c5e2e8ab

SHA1
62b899718738a46c8c1aa7f4f7dddde1bc86afd0

SHA256
4c40c6009b241e5de40826f2934872c552372edaa21079e53521ee31aefc848d

SHA512
8ad0acf2f7ea1e5708833ffd60d3d976559bf3fcd2aa2fc8ea67407c6f6fe1c011e88483547b41f3870ebdb9741a8d1467fde37815b1cce072415f84c9acb91d

Download Submit
memory/60-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/348-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/348-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/640-28-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/656-19-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/656-96-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/744-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1956-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1956-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2572-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2572-129-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2712-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2712-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2800-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2800-127-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3292-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3320-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3320-128-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3448-121-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3448-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3892-122-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3892-124-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4672-132-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4672-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5036-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5036-126-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-113-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads