55458f95bd4203e0ff7f037692f7eb00211908674287ca6f56ef5f689dd4e02f

General

Target

43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
Size

768KB
MD5

43785cf84b5dec9cfbc8c413e61427f0
SHA1

92279bec96e742474495db8e9d9caf82df09d98d
SHA256

55458f95bd4203e0ff7f037692f7eb00211908674287ca6f56ef5f689dd4e02f
SHA512

aeeb6e5149dbbc350c97fb171ed963ffed2c1baf534e182886a909b91f4a442625bf3fde8c73253be90af76e69ed0e5c6d5c6fb087efe293fc9a57c2393da1b1
SSDEEP

12288:FpY7vR6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvO:Fp2q5h3q5htaSHFaZRBEYyqmaf2qwiHP

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe

Malware Dropper & Backdoor - Berbew 7 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0006000000022fa8-7.dat	family_berbew
behavioral2/files/0x0007000000023467-15.dat	family_berbew
behavioral2/files/0x000700000002346b-32.dat	family_berbew
behavioral2/files/0x0007000000023471-56.dat	family_berbew
behavioral2/files/0x000700000002346f-48.dat	family_berbew
behavioral2/files/0x000700000002346d-40.dat	family_berbew
behavioral2/files/0x0007000000023469-24.dat	family_berbew

Executes dropped EXE 7 IoCs

pid	Process
652	Nnmopdep.exe
8	Ndghmo32.exe
3956	Ngedij32.exe
3472	Njcpee32.exe
3456	Nqmhbpba.exe
2364	Ncldnkae.exe
1556	Nkcmohbg.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3612	1556	WerFault.exe	90

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 652	2244	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe	84
PID 2244 wrote to memory of 652	2244	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe	84
PID 2244 wrote to memory of 652	2244	43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe	84
PID 652 wrote to memory of 8	652	Nnmopdep.exe	85
PID 652 wrote to memory of 8	652	Nnmopdep.exe	85
PID 652 wrote to memory of 8	652	Nnmopdep.exe	85
PID 8 wrote to memory of 3956	8	Ndghmo32.exe	86
PID 8 wrote to memory of 3956	8	Ndghmo32.exe	86
PID 8 wrote to memory of 3956	8	Ndghmo32.exe	86
PID 3956 wrote to memory of 3472	3956	Ngedij32.exe	87
PID 3956 wrote to memory of 3472	3956	Ngedij32.exe	87
PID 3956 wrote to memory of 3472	3956	Ngedij32.exe	87
PID 3472 wrote to memory of 3456	3472	Njcpee32.exe	88
PID 3472 wrote to memory of 3456	3472	Njcpee32.exe	88
PID 3472 wrote to memory of 3456	3472	Njcpee32.exe	88
PID 3456 wrote to memory of 2364	3456	Nqmhbpba.exe	89
PID 3456 wrote to memory of 2364	3456	Nqmhbpba.exe	89
PID 3456 wrote to memory of 2364	3456	Nqmhbpba.exe	89
PID 2364 wrote to memory of 1556	2364	Ncldnkae.exe	90
PID 2364 wrote to memory of 1556	2364	Ncldnkae.exe	90
PID 2364 wrote to memory of 1556	2364	Ncldnkae.exe	90

C:\Users\Admin\AppData\Local\Temp\43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\43785cf84b5dec9cfbc8c413e61427f0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\Ndghmo32.exe
    C:\Windows\system32\Ndghmo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\Ngedij32.exe
      C:\Windows\system32\Ngedij32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        8⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 400
        9⤵
        Program crash
        
        PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1556 -ip 1556
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
768KB

MD5
38997a806556054b4f331302bd1429ef

SHA1
7d8de011b85ed77b0761ed43501df6a8d221eb7f

SHA256
2ff3d643786d65da129964e657cde79eb3d487c48376993bc680d90c57aad3a2

SHA512
b48b93c27ba0a40f8c874a5ac4700304075077bcaebded10a82eddd4b098f86b272d4b4f0def17c469255be64d6c618d77fcd7f3e6a6a526e8b70c3c28b562d0

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
768KB

MD5
e46c3723cb6efd5ada053fe9091d1bec

SHA1
dc2842b64e232481a7259dd2d0041897e45960af

SHA256
1da658316cdf4480a1b6566dfc08d26490d1e9b6b13ffd5b11191a1e0faf4d69

SHA512
004c3b1e407884e61260f3b5c128d5eb3eab87eab9207f6d6118752ca72dbd1a4c81edaf447a5c8f087a718cfa1521ca3b81db981186f59b9a4a4f093cd14b0f

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
768KB

MD5
ae3dbb7fa13a61bb23cc30c2fe83e9f7

SHA1
abdf68ea2586783ac87dab221c75b5ac01ead542

SHA256
810eb36846cf6b1529117476128143b2e67bcd0512be84c92b63e45a987fe1ee

SHA512
af8dc47b6f1266e39c36ff5db2abfb1d0f89bc3e729318e7df8cf602813b0eca9b74fee12ec690fd73f75d40ec0f17da8eb4c46a15df2fc3ef44b73b84fd6669

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
768KB

MD5
57b1e3d36e3f87cbf98d1657263523fa

SHA1
f9c4146d4a153592a7b388ec0bf3693f750be3e7

SHA256
665056f42e2d385c78728dfefab8f4fc09dabf4de31b1d5c90c7a1c5f5f8afa4

SHA512
73a8c1e8dc32bf13b45c1d15f994f9618ba48772042f5fa1b9cbe8767e307b0339bdd9a0327d6b2cab7d4509d70154a2e83a41cafc9aa8d6679b6feab0d42b1d

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
768KB

MD5
dab910a7895d913d0e48f0b07a79e839

SHA1
a1b7c4da857de8a21325d8b8bff22c437ca37fcc

SHA256
78802d6325c71eb71f848bfd6ab165b207aaf7e8c8297e17cfd533ac9f3b4bc3

SHA512
992aa6238839fb1e51ed4076c17d2ef547eeb886e5506d77baa741a0081f3270305e3756851e13be71cc48a14af1e015673ca8c71468b3aad97a0daf60dd2109

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
768KB

MD5
03fda410d48d8e307c4ffc4533bc1c4e

SHA1
ce425e6721660675b26801baf62b1c999a77b146

SHA256
35bea2774d989c8f05414832eef2c9d1cd79a171ca22bfd522f478bb6194b201

SHA512
741bd44a3088247072f365a44e40c1078083b02df1e0f0e696adb4204f60b013fc41c4d03ac3e197d69eedb2cea29ae037434f0a34d4891a3b74136cb139b778

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
768KB

MD5
cd694ac4f1291fb4d261706cdfbd0a23

SHA1
6fdd2df9df7e77a61d106db6333658f828efdfbc

SHA256
c6957099672feb5c6e745d5dd16aea3cca88ad956e148bdcce9a91dbed665478

SHA512
9d6308c874239df7360915b4021df6348ce5fb42852a43d1fd913f931df4cdddddc7fdc03e635b9f723907bf4db4f7c59c0f5ef76797572d6a5ce295817747d7

Download Submit
memory/8-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2364-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads