cd5bd62b1ddafc2c9cdac2d6f64553c143080bf5dc27e14259621d4ca1302e23

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
Size

1024KB
MD5

49f597ef7ce0903745ac69037875a490
SHA1

f0083a77c0355ec154a4ec78b993d7b9b37cef40
SHA256

cd5bd62b1ddafc2c9cdac2d6f64553c143080bf5dc27e14259621d4ca1302e23
SHA512

d580451642157af302e6b5c6c2760840928e264206a2b5165ff942c42390a266cda1a0aa666e726683132116d318817fd91b6bb83525126183a3b7066e57d3df
SSDEEP

24576:Xm0BmmvFimm0Xcr6VDsEqacjgqANXcolMZ5nNxvM0oL8v8WQ:PiTWVDBzcjgBNXcolMZ5nNxvM0oLoQ

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe

Malware Dropper & Backdoor - Berbew 16 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x00090000000233fd-6.dat	family_berbew
behavioral2/files/0x0007000000023418-14.dat	family_berbew
behavioral2/files/0x000700000002341a-22.dat	family_berbew
behavioral2/files/0x000700000002341d-30.dat	family_berbew
behavioral2/files/0x000700000002341f-38.dat	family_berbew
behavioral2/files/0x0007000000023421-41.dat	family_berbew
behavioral2/files/0x0007000000023423-54.dat	family_berbew
behavioral2/files/0x0008000000023415-62.dat	family_berbew
behavioral2/files/0x0007000000023427-71.dat	family_berbew
behavioral2/files/0x0007000000023429-78.dat	family_berbew
behavioral2/files/0x000700000002342b-87.dat	family_berbew
behavioral2/files/0x000700000002342d-94.dat	family_berbew
behavioral2/files/0x000700000002342f-101.dat	family_berbew
behavioral2/files/0x0007000000023431-108.dat	family_berbew
behavioral2/files/0x0007000000023433-115.dat	family_berbew
behavioral2/files/0x0007000000023435-122.dat	family_berbew

Executes dropped EXE 16 IoCs

pid	Process
2452	Ldkojb32.exe
4144	Laalifad.exe
1568	Ldohebqh.exe
4724	Lddbqa32.exe
4716	Mjqjih32.exe
4820	Mnapdf32.exe
4488	Mkepnjng.exe
2948	Mglack32.exe
3896	Njogjfoj.exe
2288	Ncgkcl32.exe
4692	Nbhkac32.exe
4312	Ncihikcg.exe
4944	Njcpee32.exe
1476	Nbkhfc32.exe
2192	Ndidbn32.exe
2752	Nkcmohbg.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Ldohebqh.exe

Program crash 1 IoCs

pid	pid_target	Process
4668	2752	WerFault.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 2452	4660	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe	82
PID 4660 wrote to memory of 2452	4660	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe	82
PID 4660 wrote to memory of 2452	4660	49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe	82
PID 2452 wrote to memory of 4144	2452	Ldkojb32.exe	83
PID 2452 wrote to memory of 4144	2452	Ldkojb32.exe	83
PID 2452 wrote to memory of 4144	2452	Ldkojb32.exe	83
PID 4144 wrote to memory of 1568	4144	Laalifad.exe	84
PID 4144 wrote to memory of 1568	4144	Laalifad.exe	84
PID 4144 wrote to memory of 1568	4144	Laalifad.exe	84
PID 1568 wrote to memory of 4724	1568	Ldohebqh.exe	85
PID 1568 wrote to memory of 4724	1568	Ldohebqh.exe	85
PID 1568 wrote to memory of 4724	1568	Ldohebqh.exe	85
PID 4724 wrote to memory of 4716	4724	Lddbqa32.exe	86
PID 4724 wrote to memory of 4716	4724	Lddbqa32.exe	86
PID 4724 wrote to memory of 4716	4724	Lddbqa32.exe	86
PID 4716 wrote to memory of 4820	4716	Mjqjih32.exe	88
PID 4716 wrote to memory of 4820	4716	Mjqjih32.exe	88
PID 4716 wrote to memory of 4820	4716	Mjqjih32.exe	88
PID 4820 wrote to memory of 4488	4820	Mnapdf32.exe	89
PID 4820 wrote to memory of 4488	4820	Mnapdf32.exe	89
PID 4820 wrote to memory of 4488	4820	Mnapdf32.exe	89
PID 4488 wrote to memory of 2948	4488	Mkepnjng.exe	90
PID 4488 wrote to memory of 2948	4488	Mkepnjng.exe	90
PID 4488 wrote to memory of 2948	4488	Mkepnjng.exe	90
PID 2948 wrote to memory of 3896	2948	Mglack32.exe	92
PID 2948 wrote to memory of 3896	2948	Mglack32.exe	92
PID 2948 wrote to memory of 3896	2948	Mglack32.exe	92
PID 3896 wrote to memory of 2288	3896	Njogjfoj.exe	93
PID 3896 wrote to memory of 2288	3896	Njogjfoj.exe	93
PID 3896 wrote to memory of 2288	3896	Njogjfoj.exe	93
PID 2288 wrote to memory of 4692	2288	Ncgkcl32.exe	94
PID 2288 wrote to memory of 4692	2288	Ncgkcl32.exe	94
PID 2288 wrote to memory of 4692	2288	Ncgkcl32.exe	94
PID 4692 wrote to memory of 4312	4692	Nbhkac32.exe	95
PID 4692 wrote to memory of 4312	4692	Nbhkac32.exe	95
PID 4692 wrote to memory of 4312	4692	Nbhkac32.exe	95
PID 4312 wrote to memory of 4944	4312	Ncihikcg.exe	96
PID 4312 wrote to memory of 4944	4312	Ncihikcg.exe	96
PID 4312 wrote to memory of 4944	4312	Ncihikcg.exe	96
PID 4944 wrote to memory of 1476	4944	Njcpee32.exe	97
PID 4944 wrote to memory of 1476	4944	Njcpee32.exe	97
PID 4944 wrote to memory of 1476	4944	Njcpee32.exe	97
PID 1476 wrote to memory of 2192	1476	Nbkhfc32.exe	98
PID 1476 wrote to memory of 2192	1476	Nbkhfc32.exe	98
PID 1476 wrote to memory of 2192	1476	Nbkhfc32.exe	98
PID 2192 wrote to memory of 2752	2192	Ndidbn32.exe	99
PID 2192 wrote to memory of 2752	2192	Ndidbn32.exe	99
PID 2192 wrote to memory of 2752	2192	Ndidbn32.exe	99

C:\Users\Admin\AppData\Local\Temp\49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\49f597ef7ce0903745ac69037875a490_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\Ldkojb32.exe
  C:\Windows\system32\Ldkojb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\Laalifad.exe
    C:\Windows\system32\Laalifad.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\SysWOW64\Ldohebqh.exe
      C:\Windows\system32\Ldohebqh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        17⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 412
        18⤵
        Program crash
        
        PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2752 -ip 2752
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
1024KB

MD5
492529513f3025f2fda084b7015a361d

SHA1
a67f1bdb0b754138ecadf65c2aa5de667dd62ca3

SHA256
8cdb9c376b5e1ba300fb9b996a5cce970794fbb4bd07584e5d065e8f9037cc41

SHA512
96a0ea8a30890f8a25b6347e7e078bb59ae56dba8722774aceb05546ac3315491f04b0f7bfab2da7ff36b682eb241100bcbd0816134360e51e97cd130a0f31bf

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
1024KB

MD5
59ff189c12b798aaf888d8de0ed10e51

SHA1
cb52c8dea141913769f6ad25f789f94e9e85dc9c

SHA256
891e8ba20f7ea982f5356e7342e3f7cf9bc29dc55da1aca015c4c3dffc39df6e

SHA512
509b0af0bc3ac3357d6d26c5610a5e8252334db0a431bcb1ae05c43e33629147fb4e426e53870915023347376f037c4666d95e38c82cda2c1705f96d09949931

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
1024KB

MD5
6dad1e27ae9742d4399c8b7052cc8479

SHA1
d8bac73cf3c5cae5c002eed21d1a5c7cdd34f049

SHA256
e6006b65d9351b3e0707bbe350afb3d983e43975ef0788c981a7063d0fca56da

SHA512
13de2270fba41924e868247259511d6f34a88c19c1cb81ce53b306389a03bfc53fc0b68a02a5a3e518973008666f71c46a8b55c47f82e730929796f8e71eb045

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
1024KB

MD5
e2cb8b6d43f25fa2c2ad348a63ce7b42

SHA1
1fc69259117630181000d77146276c0f63a11e17

SHA256
db25580d8df2f6779b18480d79f8d33828050bb420286be21cb1f3788e634202

SHA512
a135bb2bc4f44398f61dba8f439c6c2f7e4886033970a1739fc787d0032123ce3844a6219e5a38fd45cd15d2b04a5df7c2357e99fb04af77fddd6d746e45116f

Download Submit
C:\Windows\SysWOW64\Lppbjjia.dll

Filesize
7KB

MD5
94e597cf5c9905bafda3cab1fe6b04a6

SHA1
2ea8e045ff1f99001df934fed693cc129c25b15d

SHA256
24f39269ce5f88d7e6f88a48eafdf1b24941139ead0f6e5dcb422bdc1e6e1bcd

SHA512
cb9fee7e9b458a23b199c4befc93bd92fe59fe392c08f579fde2f560ddfac1492d167d6c83653bf4b7d4058d6a651a137c1232785a987a06333e76712bb18bb5

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
1024KB

MD5
560a98b9685f85f42debbac6defc16d1

SHA1
7781e64b255dbd1e20ef99ba1ee796e9731266e9

SHA256
28a7eb10ba2a215e35a488eecd5d3c61d0353fddc170b82c2053fabc8d7224e7

SHA512
b502b37d374092cd1b1f67dd3e674bb7e169d416b4de2339881000a73914556b602d13dc45e77b7183749da8224e018181a443c2ae0967b7ee6b66e478cec54c

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
1024KB

MD5
b937e63cea74e02ebfc6ae4862603c0a

SHA1
08af7f05881737fb42c825b0bbf4dd131410f17b

SHA256
bfad58b9d063c6565ee640ec3dde7777498751eb3a73ed1dd51be928a05bb29c

SHA512
dd7f9885bd96f3854769f69fc421efcef559e46b72a2f6125c5bf98e541f42b4071c8e968937fac3376867fe5e4ca84f85f905bff0213245265527150ce42525

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
1024KB

MD5
46d3195b2a399876be102ba7e93c214f

SHA1
0f350d02e6587eac1bea4769ab16a75a65cc88a6

SHA256
83828cc9186841ada3a36a82e6929e391d679eddc996021f68204ccd1ff267a6

SHA512
ee34ef1456db4ae7dd79aadc408063b068455cbd79a1a75bdefabd944c0975b80489759325a46ac67f54cb35b41248971ce3a4cba6a04296ece91de25b1c4576

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
1024KB

MD5
1015129424f3d02bd09417779b14a480

SHA1
e5c546fb7b5ca3e46533c2ea2cb0893a91b7a28c

SHA256
ca2c27ae55263e5e92fe2a0ca6bea3a5787a6ef1d5f8d7e71f73ccc5d6a0364b

SHA512
e630803da7b620e4bdfb5e79a86344ae2a03dd6c0b668d1e257580869717246fad39ee60a24b1b77c65e7d0862e9bec3b75ec47ff6f5b27b27fc4d5861f05240

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
1024KB

MD5
fc0bfdb7940d5d8bc99f6ebeb1ada6da

SHA1
90de0b84056d5ef13ec0505ce1c9b9a51fcd4b5a

SHA256
939447032c92952b178a8fe1489abdfd6a8fc8d8a41f0c3c56535e40153d781a

SHA512
c6e8ca590671a2f6cb2d77187807f600cbb32570f1c5cde385d7d38f9326a67fcd5b7d533a0bfdd4982edc36d1ac539b2221a81b44b2de289207ccef57939a93

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
1024KB

MD5
9bb40ca7301480bbfc0d9a24ac9c98a5

SHA1
2308e5f11f0a46289e74fea5f76670f3e6bce098

SHA256
c16df643ae21ba194ee5ab29a2f3b38d15a769a567ab2de088d87263d218e096

SHA512
297dd70814baebeccd8e7ec0c1a285fc87eeab6c7ffd26485dca4d828a1af4daa3deb346613ed4ed341ebbdad0a8e58c322dd79de8d481f13888373d3a8161a3

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
1024KB

MD5
875fda8c6b72b55ae40b0519322dd494

SHA1
56b4ddd5381e16bc78aa0791c184104a63ac9174

SHA256
6ce69c58c5ea3efd2ae9dd9fe7335f38712b93dc84aa19ec50f40bad288455a2

SHA512
b4c953faaa4757f9a2eba200a50741a14924f7d9ea4c8719ddcfcb32a8a8e35805548666d028210f5cef567f4c5a5cc2659572b7641b33f82d7bdaf492e22ec1

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
1024KB

MD5
0984f5cff947847955c278c03b2efbd2

SHA1
1237be1726f1cb04e2a70c97e57e067eeb2636be

SHA256
cf3e2b534d4001f08938e01bbc4c1caf0f31cfc321f0ca174b479a653b498672

SHA512
503d10f3680d34f7877964975aabc9a0cdb4af0ffbabad33cda71c96d8748ef798607377ce6613aa275c7cbb6abf7e23b65b677020b2695fd05362f8b427f57a

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
1024KB

MD5
7f3bc148cbf4b4167c8ac1b11b465d42

SHA1
919a3ec807f2b47545103cf5d74b8f9c1c9334d2

SHA256
2a3b805b72903035b1fe108272022dd58d0a1e7d60358ffc0d85f1eadf59e7f2

SHA512
002247f2406839b962c78913cef31dc1c7ba39632af07552150ee8599e770c891ecd674870f5996bce6a65e218f1a4cf825a8e99a0f75f691c0f2656cc3b6145

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
1024KB

MD5
8b122afd3f61b3570a4d89a5e63ebacb

SHA1
09593c467b3d58b763c171010c5b69c77f4e4c44

SHA256
9a268ba9e638d2dc64c717decd3d94f578496ef5922edfdd36f723e3ca9331a2

SHA512
57fc946194264001aeadd4b5ab216329ad5af91fc4ab4c5a55bb9b4f0c1d6f01010656062d80cebfbee04a03bfbafb377f9f31ecb55d2a074a7e9eedce81a084

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
1024KB

MD5
00d8835fbd0ca9cd257bc0e7aeb876c0

SHA1
d2e948cd0c5b374a14d04323c6b7e38ce5a24331

SHA256
f88c6e6d978566a9941f3be1a151fd5294d1e5777007ba0158ddf817b26e8fee

SHA512
75407ec56b0a2c3963b97f31fddb6e40bbe15bc30aa977b2859a17d606b93d38e446a673543b3c7aba7b178e1becaf64aa21620aae194acf4ac2f72160ae7642

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1024KB

MD5
92038f8bc0bd995089cd77eb71065c5d

SHA1
f657e3362da63e08fa9a3297bee9d84f9a33e15a

SHA256
5b9ca13d395204577c3c77cf9c6e94ac8c231dae26a19489e700684a2d8a1466

SHA512
3d5f80b7f9af2d6765e13fdd4daf3a3d0d1883e027e4fe5ff23d8489d4bc4b3caf26e277360395a73dc207bdacf4cb1ec8c6246a8d9f822fc6bada40d686b09c

Download Submit
memory/1476-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3896-77-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4312-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-131-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4724-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads