862d509b746ac55f8af08524b47f7a89b740cb9a8cb748ec71be9f1b3b7659e4

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe
Size

285KB
MD5

09b0ee3818f23e3f15452555ecc5c120
SHA1

4a4233568b827c76d7b74f4d3ebdadff7570e48b
SHA256

862d509b746ac55f8af08524b47f7a89b740cb9a8cb748ec71be9f1b3b7659e4
SHA512

4104b6409acabc865f386ea389d89f34ddebe2ae98e33a6b9eec7e0c50f0c3bba00132d1a59541d73276b84ab45f1f9ca5fb972a14ed59a4647eb21d36aa5d54
SSDEEP

6144:+ZyKE4FBg+XHnZYkQGmzRrOEg0q/vjLm1AHkUm1Ys8xiV4DvtsJRlVDqa8GzNHLp:NBaBnmtOwq/+1MkU68raJRHua8G9Lcob

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2904	jusched.exe
2868	jusched.exe
2576	jusched.exe

Loads dropped DLL 6 IoCs

pid	Process
2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe
2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe
2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe
2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe
2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe
2904	jusched.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2116-0-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral1/files/0x000800000001523e-27.dat	upx
behavioral1/memory/2904-46-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral1/memory/2116-45-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral1/memory/2904-51-0x0000000002960000-0x0000000002B08000-memory.dmp	upx
behavioral1/memory/2868-52-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-55-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-57-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2576-66-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2904-69-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral1/memory/2576-68-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2576-63-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2868-72-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2576-73-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2868-74-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-76-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-78-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-80-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-82-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-87-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-89-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-92-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-94-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2868-101-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Machine = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 2868	2904	jusched.exe	32
PID 2904 set thread context of 2576	2904	jusched.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2992	reg.exe
2700	reg.exe
2268	reg.exe
2356	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2868	jusched.exe
Token: SeCreateTokenPrivilege	2868	jusched.exe
Token: SeAssignPrimaryTokenPrivilege	2868	jusched.exe
Token: SeLockMemoryPrivilege	2868	jusched.exe
Token: SeIncreaseQuotaPrivilege	2868	jusched.exe
Token: SeMachineAccountPrivilege	2868	jusched.exe
Token: SeTcbPrivilege	2868	jusched.exe
Token: SeSecurityPrivilege	2868	jusched.exe
Token: SeTakeOwnershipPrivilege	2868	jusched.exe
Token: SeLoadDriverPrivilege	2868	jusched.exe
Token: SeSystemProfilePrivilege	2868	jusched.exe
Token: SeSystemtimePrivilege	2868	jusched.exe
Token: SeProfSingleProcessPrivilege	2868	jusched.exe
Token: SeIncBasePriorityPrivilege	2868	jusched.exe
Token: SeCreatePagefilePrivilege	2868	jusched.exe
Token: SeCreatePermanentPrivilege	2868	jusched.exe
Token: SeBackupPrivilege	2868	jusched.exe
Token: SeRestorePrivilege	2868	jusched.exe
Token: SeShutdownPrivilege	2868	jusched.exe
Token: SeDebugPrivilege	2868	jusched.exe
Token: SeAuditPrivilege	2868	jusched.exe
Token: SeSystemEnvironmentPrivilege	2868	jusched.exe
Token: SeChangeNotifyPrivilege	2868	jusched.exe
Token: SeRemoteShutdownPrivilege	2868	jusched.exe
Token: SeUndockPrivilege	2868	jusched.exe
Token: SeSyncAgentPrivilege	2868	jusched.exe
Token: SeEnableDelegationPrivilege	2868	jusched.exe
Token: SeManageVolumePrivilege	2868	jusched.exe
Token: SeImpersonatePrivilege	2868	jusched.exe
Token: SeCreateGlobalPrivilege	2868	jusched.exe
Token: 31	2868	jusched.exe
Token: 32	2868	jusched.exe
Token: 33	2868	jusched.exe
Token: 34	2868	jusched.exe
Token: 35	2868	jusched.exe
Token: SeDebugPrivilege	2576	jusched.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe
2904	jusched.exe
2868	jusched.exe
2868	jusched.exe
2576	jusched.exe
2868	jusched.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2272	2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2272	2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2272	2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2272	2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe	28
PID 2272 wrote to memory of 2716	2272	cmd.exe	30
PID 2272 wrote to memory of 2716	2272	cmd.exe	30
PID 2272 wrote to memory of 2716	2272	cmd.exe	30
PID 2272 wrote to memory of 2716	2272	cmd.exe	30
PID 2116 wrote to memory of 2904	2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe	31
PID 2116 wrote to memory of 2904	2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe	31
PID 2116 wrote to memory of 2904	2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe	31
PID 2116 wrote to memory of 2904	2116	09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe	31
PID 2904 wrote to memory of 2868	2904	jusched.exe	32
PID 2904 wrote to memory of 2868	2904	jusched.exe	32
PID 2904 wrote to memory of 2868	2904	jusched.exe	32
PID 2904 wrote to memory of 2868	2904	jusched.exe	32
PID 2904 wrote to memory of 2868	2904	jusched.exe	32
PID 2904 wrote to memory of 2868	2904	jusched.exe	32
PID 2904 wrote to memory of 2868	2904	jusched.exe	32
PID 2904 wrote to memory of 2868	2904	jusched.exe	32
PID 2904 wrote to memory of 2868	2904	jusched.exe	32
PID 2904 wrote to memory of 2576	2904	jusched.exe	33
PID 2904 wrote to memory of 2576	2904	jusched.exe	33
PID 2904 wrote to memory of 2576	2904	jusched.exe	33
PID 2904 wrote to memory of 2576	2904	jusched.exe	33
PID 2868 wrote to memory of 2596	2868	jusched.exe	34
PID 2868 wrote to memory of 2596	2868	jusched.exe	34
PID 2868 wrote to memory of 2596	2868	jusched.exe	34
PID 2868 wrote to memory of 2596	2868	jusched.exe	34
PID 2868 wrote to memory of 2644	2868	jusched.exe	35
PID 2868 wrote to memory of 2644	2868	jusched.exe	35
PID 2868 wrote to memory of 2644	2868	jusched.exe	35
PID 2868 wrote to memory of 2644	2868	jusched.exe	35
PID 2904 wrote to memory of 2576	2904	jusched.exe	33
PID 2868 wrote to memory of 3032	2868	jusched.exe	36
PID 2868 wrote to memory of 3032	2868	jusched.exe	36
PID 2868 wrote to memory of 3032	2868	jusched.exe	36
PID 2868 wrote to memory of 3032	2868	jusched.exe	36
PID 2904 wrote to memory of 2576	2904	jusched.exe	33
PID 2868 wrote to memory of 2444	2868	jusched.exe	37
PID 2868 wrote to memory of 2444	2868	jusched.exe	37
PID 2868 wrote to memory of 2444	2868	jusched.exe	37
PID 2868 wrote to memory of 2444	2868	jusched.exe	37
PID 2904 wrote to memory of 2576	2904	jusched.exe	33
PID 2904 wrote to memory of 2576	2904	jusched.exe	33
PID 2904 wrote to memory of 2576	2904	jusched.exe	33
PID 2596 wrote to memory of 2700	2596	cmd.exe	41
PID 2596 wrote to memory of 2700	2596	cmd.exe	41
PID 2596 wrote to memory of 2700	2596	cmd.exe	41
PID 2596 wrote to memory of 2700	2596	cmd.exe	41
PID 3032 wrote to memory of 2992	3032	cmd.exe	43
PID 3032 wrote to memory of 2992	3032	cmd.exe	43
PID 3032 wrote to memory of 2992	3032	cmd.exe	43
PID 3032 wrote to memory of 2992	3032	cmd.exe	43
PID 2644 wrote to memory of 2356	2644	cmd.exe	44
PID 2644 wrote to memory of 2356	2644	cmd.exe	44
PID 2644 wrote to memory of 2356	2644	cmd.exe	44
PID 2644 wrote to memory of 2356	2644	cmd.exe	44
PID 2444 wrote to memory of 2268	2444	cmd.exe	45
PID 2444 wrote to memory of 2268	2444	cmd.exe	45
PID 2444 wrote to memory of 2268	2444	cmd.exe	45
PID 2444 wrote to memory of 2268	2444	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\09b0ee3818f23e3f15452555ecc5c120_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FytJg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Machine" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2716
- C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
  "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
    C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2268
- - C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
    C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FytJg.bat

Filesize
149B

MD5
976ffa9a304b234c039c8739d97bb893

SHA1
f70f7ede8b6e5d1b8a9b53c9bf43882485b55bd6

SHA256
2b77cf051bb584aada8b9e5e07cba06e2077b42f009c33d10e31994ceec10384

SHA512
1bd398b968736efbab740c81776781023a4ef0dc1c0191d6393a7582bd79b452666163691d82a27ee8989a1e293e6d6df57c303aa9b34497ae52be417f9e269c

Download Submit
C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

Filesize
285KB

MD5
c932c9048f96c49a9a1764ffeb9601d3

SHA1
1b7b6300a08f2d1e799415eff6a5825fb0c33864

SHA256
4a984cbf324f1f43b302ffd3309f656a03332155aeda90d0192fd4c8f49c8c4e

SHA512
edff8944e9c510cd135df1bad66fcf364e3ff1e8f7b53b2a07c5a34be0e961e500fc4ec1d94c36a49576c4a352932894abec8e19dc331839619e49d2e2b4d136

Download Submit
memory/2116-42-0x00000000032E0000-0x0000000003488000-memory.dmp

Filesize
1.7MB

Download
memory/2116-0-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2116-45-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2576-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2576-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2576-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2576-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2868-78-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-89-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-101-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-55-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-52-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-72-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-94-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-74-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-76-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-92-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-80-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-82-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-87-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-57-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2904-46-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2904-51-0x0000000002960000-0x0000000002B08000-memory.dmp

Filesize
1.7MB

Download
memory/2904-69-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads