73cbe5bec39bc70469f66fdaad9e3f2499848e710eab668ee55ad9cc65e3ae20

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 21:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe
Size

2.7MB
MD5

89872808e6dea205906e4a9d51226dc0
SHA1

653ed5133f968a3af497135299ce2a76c4da4fea
SHA256

73cbe5bec39bc70469f66fdaad9e3f2499848e710eab668ee55ad9cc65e3ae20
SHA512

fe8e46ba97ac148c924d59e80f54f40a379666595dfff70253aae5d8413cb8993ea18c1ad6fdb0a3ada5142bb5229f8992fb65d878cd49f35664dbdde6cc2680
SSDEEP

49152:DBuZrEUVgCGLfmPm7FveXAPd4r58H81p6KIy029s4C1eH9k:FkLVlGLuu7kXQ4r58cUt29s4C1eH9k

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Executes dropped EXE 4 IoCs

pid	Process
4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
4028	662edccf2a1b9_pe.exe
2840	662edccf2a1b9_pe.tmp

Loads dropped DLL 3 IoCs

pid	Process
4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
2840	662edccf2a1b9_pe.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Whatsapp.exe\unins000.dat	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
File created	C:\Program Files (x86)\Whatsapp.exe\is-9C9OO.tmp	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
File opened for modification	C:\Program Files (x86)\Whatsapp.exe\unins000.dat	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4608	3944	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	82
PID 3944 wrote to memory of 4608	3944	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	82
PID 3944 wrote to memory of 4608	3944	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	82
PID 4608 wrote to memory of 1364	4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	84
PID 4608 wrote to memory of 1364	4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	84
PID 4608 wrote to memory of 1364	4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	84
PID 1364 wrote to memory of 2636	1364	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	86
PID 1364 wrote to memory of 2636	1364	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	86
PID 1364 wrote to memory of 2636	1364	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	86
PID 2636 wrote to memory of 4028	2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	88
PID 2636 wrote to memory of 4028	2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	88
PID 2636 wrote to memory of 4028	2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	88
PID 4028 wrote to memory of 2840	4028	662edccf2a1b9_pe.exe	89
PID 4028 wrote to memory of 2840	4028	662edccf2a1b9_pe.exe	89
PID 4028 wrote to memory of 2840	4028	662edccf2a1b9_pe.exe	89

C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\is-S8CGH.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S8CGH.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp" /SL5="$80204,1969655,832512,C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe" /SILENT /PASSWORD=4992348
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\is-EHNHA.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-EHNHA.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp" /SL5="$90204,1969655,832512,C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe" /SILENT /PASSWORD=4992348
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\is-EFJSL.tmp\662edccf2a1b9_pe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EFJSL.tmp\662edccf2a1b9_pe.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Users\Admin\AppData\Local\Temp\is-8OBDC.tmp\662edccf2a1b9_pe.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8OBDC.tmp\662edccf2a1b9_pe.tmp" /SL5="$E0064,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-EFJSL.tmp\662edccf2a1b9_pe.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2840

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8e04JwBWLQ6pnHIgzWyj2FDVUCUy23vSMrg9AjlrrVbHama_eildBYE7LaTRg541btnqYeKoqeZBs_4OCmwsl0zi_19i4qy3le7KqUP5N9xC_X6fhT_HkGtigYGKnybERR6ytbwRkUgkiRT-yZA6sVppbiRI3DPSSAoBmnZuyZbr4inCG%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D7f461e5e8e8f146cdcd4783620928652&TIME=20240611T200650Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8e04JwBWLQ6pnHIgzWyj2FDVUCUy23vSMrg9AjlrrVbHama_eildBYE7LaTRg541btnqYeKoqeZBs_4OCmwsl0zi_19i4qy3le7KqUP5N9xC_X6fhT_HkGtigYGKnybERR6ytbwRkUgkiRT-yZA6sVppbiRI3DPSSAoBmnZuyZbr4inCG%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D7f461e5e8e8f146cdcd4783620928652&TIME=20240611T200650Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=18679E0AC533625B1F9D8A97C4886310; domain=.bing.com; expires=Tue, 08-Jul-2025 21:46:20 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D992B3F01F9A46D396BB079A8CFBC8F2 Ref B: LON04EDGE0817 Ref C: 2024-06-13T21:46:20Z
date: Thu, 13 Jun 2024 21:46:19 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8e04JwBWLQ6pnHIgzWyj2FDVUCUy23vSMrg9AjlrrVbHama_eildBYE7LaTRg541btnqYeKoqeZBs_4OCmwsl0zi_19i4qy3le7KqUP5N9xC_X6fhT_HkGtigYGKnybERR6ytbwRkUgkiRT-yZA6sVppbiRI3DPSSAoBmnZuyZbr4inCG%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D7f461e5e8e8f146cdcd4783620928652&TIME=20240611T200650Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8e04JwBWLQ6pnHIgzWyj2FDVUCUy23vSMrg9AjlrrVbHama_eildBYE7LaTRg541btnqYeKoqeZBs_4OCmwsl0zi_19i4qy3le7KqUP5N9xC_X6fhT_HkGtigYGKnybERR6ytbwRkUgkiRT-yZA6sVppbiRI3DPSSAoBmnZuyZbr4inCG%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D7f461e5e8e8f146cdcd4783620928652&TIME=20240611T200650Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=18679E0AC533625B1F9D8A97C4886310; _EDGE_S=SID=04EDFA3F9C6E600C0214EEA29DC461F0

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=JM-jFUeuyoaxApYdms28NleWsdUtVrDTZiHcn7D6hOE; domain=.bing.com; expires=Tue, 08-Jul-2025 21:46:20 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 24808BF86AD24FFA963386C1BCB9481B Ref B: LON04EDGE0817 Ref C: 2024-06-13T21:46:20Z
date: Thu, 13 Jun 2024 21:46:19 GMT
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

98.251.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.251.17.2.in-addr.arpa

IN PTR

Response

98.251.17.2.in-addr.arpa

IN PTR

a2-17-251-98deploystaticakamaitechnologiescom
GET

https://www.bing.com/aes/c.gif?RG=da2ac46cb82042bcadbfcfd740d7cfea&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T200650Z&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670

Remote address:

23.62.61.97:443

Request

GET /aes/c.gif?RG=da2ac46cb82042bcadbfcfd740d7cfea&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T200650Z&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=18679E0AC533625B1F9D8A97C4886310

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9542994DA72E479AB7593F767868D80F Ref B: DUS30EDGE0916 Ref C: 2024-06-13T21:46:20Z
content-length: 0
date: Thu, 13 Jun 2024 21:46:20 GMT
set-cookie: _EDGE_S=SID=04EDFA3F9C6E600C0214EEA29DC461F0; path=/; httponly; domain=bing.com
set-cookie: MUIDB=18679E0AC533625B1F9D8A97C4886310; path=/; httponly; expires=Tue, 08-Jul-2025 21:46:20 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1718315180.59b96bb
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

97.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.61.62.23.in-addr.arpa

IN PTR

Response

97.61.62.23.in-addr.arpa

IN PTR

a23-62-61-97deploystaticakamaitechnologiescom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

57.15.31.184.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.15.31.184.in-addr.arpa

IN PTR

Response

57.15.31.184.in-addr.arpa

IN PTR

a184-31-15-57deploystaticakamaitechnologiescom
DNS

88.251.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.251.17.2.in-addr.arpa

IN PTR

Response

88.251.17.2.in-addr.arpa

IN PTR

a2-17-251-88deploystaticakamaitechnologiescom
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8e04JwBWLQ6pnHIgzWyj2FDVUCUy23vSMrg9AjlrrVbHama_eildBYE7LaTRg541btnqYeKoqeZBs_4OCmwsl0zi_19i4qy3le7KqUP5N9xC_X6fhT_HkGtigYGKnybERR6ytbwRkUgkiRT-yZA6sVppbiRI3DPSSAoBmnZuyZbr4inCG%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D7f461e5e8e8f146cdcd4783620928652&TIME=20240611T200650Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

tls, http2

2.4kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8e04JwBWLQ6pnHIgzWyj2FDVUCUy23vSMrg9AjlrrVbHama_eildBYE7LaTRg541btnqYeKoqeZBs_4OCmwsl0zi_19i4qy3le7KqUP5N9xC_X6fhT_HkGtigYGKnybERR6ytbwRkUgkiRT-yZA6sVppbiRI3DPSSAoBmnZuyZbr4inCG%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D7f461e5e8e8f146cdcd4783620928652&TIME=20240611T200650Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8e04JwBWLQ6pnHIgzWyj2FDVUCUy23vSMrg9AjlrrVbHama_eildBYE7LaTRg541btnqYeKoqeZBs_4OCmwsl0zi_19i4qy3le7KqUP5N9xC_X6fhT_HkGtigYGKnybERR6ytbwRkUgkiRT-yZA6sVppbiRI3DPSSAoBmnZuyZbr4inCG%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D7f461e5e8e8f146cdcd4783620928652&TIME=20240611T200650Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

HTTP Response

204
23.62.61.97:443

https://www.bing.com/aes/c.gif?RG=da2ac46cb82042bcadbfcfd740d7cfea&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T200650Z&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=da2ac46cb82042bcadbfcfd740d7cfea&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T200650Z&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

98.251.17.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

98.251.17.2.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

97.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

97.61.62.23.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

57.15.31.184.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

57.15.31.184.in-addr.arpa
8.8.8.8:53

88.251.17.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.251.17.2.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3HQJO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8OBDC.tmp\662edccf2a1b9_pe.tmp

Filesize
3.1MB

MD5
b23174df4a38d6a0ef0d0dc7c33f016b

SHA1
52fe6f6fcfff9f81de222114b0e1499662d6aba0

SHA256
9dfed8bfcc4be0234a4d9ae70edf04e2eccf692a17c1f2a7ef3e27544c44daba

SHA512
c2bcd7484be259a7825c095a380ee0cfa3720f0c54ba74e4576bf1716b3a3a7cf205f4efa3ab9ea75e69cfd9528a06add9e5687788d7228dfc93e0ed78828f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ARTAS.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EFJSL.tmp\662edccf2a1b9_pe.exe

Filesize
1.7MB

MD5
4fe0240cd1a8b074df9ac1b87fc384c9

SHA1
9cc5cdd71646bde7859bbe30266a8fc0fcf75efd

SHA256
a60181c740eaa02e8644621df5a86b523702b8412fc4638bfb0af666ad4dbf7f

SHA512
89a0b011e575613eddd94b344b12d69e0c2fd1d80674e3a250cc4f2f69ee22edbe0d5705042e9af77adfdca1d4e7bcf5958d0cc20dd1b9fff5a24f9c8fca6a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S8CGH.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Filesize
3.1MB

MD5
391e3fb9f9a24c1278fbd9f27eb495b7

SHA1
b7d51eed6117954c30c6e849beab7557bf38e0f6

SHA256
eb1ae5571665df14ca676be26a61ca285aca81bcbfcb3155df990f656c2d3d1c

SHA512
7fc2c96d833f91e09a4264d50de19b70c1cb6eb36fe6b7ca0b2ba1752417cd184557a238c0ef5714d7c7b2c1efa60a55249a80a18ce392195e23874f865c0d29

Download Submit
memory/1364-15-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1364-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1364-47-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2636-27-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2636-48-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2840-50-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3944-19-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3944-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3944-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4028-36-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4028-49-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4608-17-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4608-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.