fc62cf145ef2bf693cf1f84abd30843a548d054fd0376473134e088c9c6fcbc2

General

Target

1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
Size

2.6MB
MD5

1b11ee5ca27fe0d341fee89bec5fd940
SHA1

e63efe252c67f8f14f6fc9c42189c3e1c4175a94
SHA256

fc62cf145ef2bf693cf1f84abd30843a548d054fd0376473134e088c9c6fcbc2
SHA512

7fbe4e130d07d3050406cfd312c6a892161f20dc468f0e618228dec9625e625842505441556ef067d8a4675de3563b6a90d741ef263bd24cd74c30724b8b4b21
SSDEEP

49152:fXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVh:fXzhW148Pd+Tf1mpcOldJQ3/Vh

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

spoolsv.exesvchost.exespoolsv.exeexplorer.exe1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2680 explorer.exe
2692 spoolsv.exe
2744 svchost.exe
2520 spoolsv.exe
Loads dropped DLL 4 IoCs

Processes:

1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

pid process

1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
2680 explorer.exe
2692 spoolsv.exe
2744 svchost.exe

pid	process
2680	explorer.exe
2692	spoolsv.exe
2744	svchost.exe
2520	spoolsv.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1560-0-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\Themes\explorer.exe	themida
behavioral1/memory/2680-12-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1560-11-0x0000000003750000-0x0000000003D66000-memory.dmp	themida
C:\Windows\Resources\spoolsv.exe	themida
behavioral1/memory/2692-24-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\svchost.exe	themida
behavioral1/memory/2744-36-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2520-45-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1560-42-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2692-50-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2520-52-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1560-54-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2680-55-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2680-56-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2744-57-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2680-68-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
2680 explorer.exe
2692 spoolsv.exe
2744 svchost.exe
2520 spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2024 schtasks.exe
1208 schtasks.exe
1732 schtasks.exe

pid	process
2024	schtasks.exe
1208	schtasks.exe
1732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2744	svchost.exe
2744	svchost.exe
2680	explorer.exe
2744	svchost.exe
2744	svchost.exe
2680	explorer.exe
2680	explorer.exe
2744	svchost.exe
2744	svchost.exe
2680	explorer.exe
2680	explorer.exe
2744	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2680 explorer.exe
2744 svchost.exe

pid	process
2680	explorer.exe
2744	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
2680	explorer.exe
2680	explorer.exe
2692	spoolsv.exe
2692	spoolsv.exe
2744	svchost.exe
2744	svchost.exe
2520	spoolsv.exe
2520	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1560 wrote to memory of 2680	1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe	explorer.exe
PID 1560 wrote to memory of 2680	1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe	explorer.exe
PID 1560 wrote to memory of 2680	1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe	explorer.exe
PID 1560 wrote to memory of 2680	1560	1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe	explorer.exe
PID 2680 wrote to memory of 2692	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2692	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2692	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2692	2680	explorer.exe	spoolsv.exe
PID 2692 wrote to memory of 2744	2692	spoolsv.exe	svchost.exe
PID 2692 wrote to memory of 2744	2692	spoolsv.exe	svchost.exe
PID 2692 wrote to memory of 2744	2692	spoolsv.exe	svchost.exe
PID 2692 wrote to memory of 2744	2692	spoolsv.exe	svchost.exe
PID 2744 wrote to memory of 2520	2744	svchost.exe	spoolsv.exe
PID 2744 wrote to memory of 2520	2744	svchost.exe	spoolsv.exe
PID 2744 wrote to memory of 2520	2744	svchost.exe	spoolsv.exe
PID 2744 wrote to memory of 2520	2744	svchost.exe	spoolsv.exe
PID 2680 wrote to memory of 2600	2680	explorer.exe	Explorer.exe
PID 2680 wrote to memory of 2600	2680	explorer.exe	Explorer.exe
PID 2680 wrote to memory of 2600	2680	explorer.exe	Explorer.exe
PID 2680 wrote to memory of 2600	2680	explorer.exe	Explorer.exe
PID 2744 wrote to memory of 2024	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 2024	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 2024	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 2024	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1208	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1208	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1208	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1208	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1732	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1732	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1732	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1732	2744	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:10 /f
5⤵
- Creates scheduled task(s)
PID:2024

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:11 /f
5⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:12 /f
5⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
3⤵
PID:2600

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe
Filesize
2.6MB

MD5
0d7fc944b938bbbdc2be334d04e4bbd9

SHA1
ab064256cb29ed8c7157e54ba6784bb8e01a679f

SHA256
6ecf8a2a32ab280ca5251bbc891236163cc06b9fde6dfb3dfe66b0ce3eb5f53d

SHA512
127ea74cfdf8e6781b6e9731bfaf058ed380b63f79d6bf88ca90cee73369d484d20d4b9e1b3d0e9705f438a9b3a62234f7c556b6ddc24122e89076f34e1fe351

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
2.6MB

MD5
26dde0f13a7ac04c215919389296ea0a

SHA1
fb1ad878889221258eeaed8f4c70976dc12e7fc2

SHA256
288ac0386012ad9b8674830dbe57dfbcd67903471a268aabfb1a972744e15b5b

SHA512
15b1f9ec990bc2e0ef04c568f38f9785f6bd3615678b299904dab59858af3a2f3d29cf01ae03c0a975a29431ccb8eeee20518d5e29a0b92c38d4ae9144f344f6

Download Submit
\Windows\Resources\svchost.exe
Filesize
2.6MB

MD5
be7a9a6abe47e418064b82d388746b5b

SHA1
35950397c543b199222561058e93f918bd421d19

SHA256
a1b228398868a64da27686f0f7f92dc7051477b7cec2413f2ce7575e1d382f15

SHA512
fbee82edf05f9d02dc3f59128aed8902637cab09f93a4e8f3eb70d16dfaa99a0aee84754c5c0708d4370bf32b798485d335859fb9f39dd20ec21e01fa33042c4

Download Submit
memory/1560-44-0x0000000003750000-0x0000000003D66000-memory.dmp

Filesize
6.1MB

Download
memory/1560-1-0x0000000077E50000-0x0000000077E52000-memory.dmp

Filesize
8KB

Download
memory/1560-54-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1560-11-0x0000000003750000-0x0000000003D66000-memory.dmp

Filesize
6.1MB

Download
memory/1560-0-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1560-42-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2520-52-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2520-45-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2680-21-0x0000000003700000-0x0000000003D16000-memory.dmp

Filesize
6.1MB

Download
memory/2680-12-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2680-55-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2680-56-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2680-68-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2692-35-0x00000000036F0000-0x0000000003D06000-memory.dmp

Filesize
6.1MB

Download
memory/2692-24-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2692-50-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2744-36-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2744-57-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads