sality | 1dfe037bfb2e4ddde09deaa2c144f36e7c3126d073056f8cdb32f53e8822ded7

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dfe037bfb2e4ddde09deaa2c144f36e7c3126d073056f8cdb32f53e8822ded7_NeikiAnalytics.dll
Size

120KB
MD5

fb3faf9cd45c08e2061099bd3492c9f0
SHA1

e09f13b82cff2d6855f3166fff0bb0d5a48bc60e
SHA256

1dfe037bfb2e4ddde09deaa2c144f36e7c3126d073056f8cdb32f53e8822ded7
SHA512

cd21b7b6329790fe19f7d96a616fbbc46d331c7a2ca5e60209b7ee81e2d0ce2524123bdd9ebfc185718c2c530aaee2b6677c5a24bb2a5874d2eadea40efe70d6
SSDEEP

3072:Ns+f+jogMHc5MXxhffRN+i+U6Wq7CqkL:HxJfffH0vW

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f7619f6.exef761b7c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f761b7c.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7619f6.exef761b7c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761b7c.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7619f6.exef761b7c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7619f6.exe

Executes dropped EXE 3 IoCs

Processes:

f7619f6.exef761b7c.exef7637b3.exe

pid process

1056 f7619f6.exe
2412 f761b7c.exe
1664 f7637b3.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2588 rundll32.exe
2588 rundll32.exe
2588 rundll32.exe
2588 rundll32.exe
2588 rundll32.exe
2588 rundll32.exe

pid	process
1056	f7619f6.exe
2412	f761b7c.exe
1664	f7637b3.exe

pid	process
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1056-12-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-15-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-18-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-14-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-17-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-19-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-21-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-20-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-16-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-22-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-58-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-59-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-60-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-62-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-61-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-64-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-77-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-78-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-79-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-100-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-102-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-105-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/1056-142-0x00000000005F0000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/2412-154-0x0000000000910000-0x00000000019CA000-memory.dmp	upx
behavioral1/memory/2412-175-0x0000000000910000-0x00000000019CA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f761b7c.exef7619f6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761b7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761b7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7619f6.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f7619f6.exef761b7c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761b7c.exe

Enumerates connected drives 3 TTPs 13 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7619f6.exe

description	ioc	process
File opened (read-only)	\??\I:	f7619f6.exe
File opened (read-only)	\??\N:	f7619f6.exe
File opened (read-only)	\??\O:	f7619f6.exe
File opened (read-only)	\??\E:	f7619f6.exe
File opened (read-only)	\??\K:	f7619f6.exe
File opened (read-only)	\??\M:	f7619f6.exe
File opened (read-only)	\??\P:	f7619f6.exe
File opened (read-only)	\??\G:	f7619f6.exe
File opened (read-only)	\??\L:	f7619f6.exe
File opened (read-only)	\??\Q:	f7619f6.exe
File opened (read-only)	\??\H:	f7619f6.exe
File opened (read-only)	\??\J:	f7619f6.exe
File opened (read-only)	\??\R:	f7619f6.exe

Drops file in Windows directory 3 IoCs

Processes:

f7619f6.exef761b7c.exe

description ioc process

File created C:\Windows\f761a35 f7619f6.exe
File opened for modification C:\Windows\SYSTEM.INI f7619f6.exe
File created C:\Windows\f766a95 f761b7c.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f7619f6.exef761b7c.exe

pid process

1056 f7619f6.exe
1056 f7619f6.exe
2412 f761b7c.exe

description	ioc	process
File created	C:\Windows\f761a35	f7619f6.exe
File opened for modification	C:\Windows\SYSTEM.INI	f7619f6.exe
File created	C:\Windows\f766a95	f761b7c.exe

pid	process
1056	f7619f6.exe
1056	f7619f6.exe
2412	f761b7c.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f7619f6.exef761b7c.exe

description	pid	process
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	1056	f7619f6.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe
Token: SeDebugPrivilege	2412	f761b7c.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef7619f6.exef761b7c.exe

description	pid	process	target process
PID 1640 wrote to memory of 2588	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 2588	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 2588	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 2588	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 2588	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 2588	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 2588	1640	rundll32.exe	rundll32.exe
PID 2588 wrote to memory of 1056	2588	rundll32.exe	f7619f6.exe
PID 2588 wrote to memory of 1056	2588	rundll32.exe	f7619f6.exe
PID 2588 wrote to memory of 1056	2588	rundll32.exe	f7619f6.exe
PID 2588 wrote to memory of 1056	2588	rundll32.exe	f7619f6.exe
PID 1056 wrote to memory of 1064	1056	f7619f6.exe	Dwm.exe
PID 1056 wrote to memory of 1092	1056	f7619f6.exe	taskhost.exe
PID 1056 wrote to memory of 1136	1056	f7619f6.exe	Explorer.EXE
PID 1056 wrote to memory of 1588	1056	f7619f6.exe	DllHost.exe
PID 1056 wrote to memory of 1640	1056	f7619f6.exe	rundll32.exe
PID 1056 wrote to memory of 2588	1056	f7619f6.exe	rundll32.exe
PID 1056 wrote to memory of 2588	1056	f7619f6.exe	rundll32.exe
PID 2588 wrote to memory of 2412	2588	rundll32.exe	f761b7c.exe
PID 2588 wrote to memory of 2412	2588	rundll32.exe	f761b7c.exe
PID 2588 wrote to memory of 2412	2588	rundll32.exe	f761b7c.exe
PID 2588 wrote to memory of 2412	2588	rundll32.exe	f761b7c.exe
PID 2588 wrote to memory of 1664	2588	rundll32.exe	f7637b3.exe
PID 2588 wrote to memory of 1664	2588	rundll32.exe	f7637b3.exe
PID 2588 wrote to memory of 1664	2588	rundll32.exe	f7637b3.exe
PID 2588 wrote to memory of 1664	2588	rundll32.exe	f7637b3.exe
PID 1056 wrote to memory of 1064	1056	f7619f6.exe	Dwm.exe
PID 1056 wrote to memory of 1092	1056	f7619f6.exe	taskhost.exe
PID 1056 wrote to memory of 1136	1056	f7619f6.exe	Explorer.EXE
PID 1056 wrote to memory of 2412	1056	f7619f6.exe	f761b7c.exe
PID 1056 wrote to memory of 2412	1056	f7619f6.exe	f761b7c.exe
PID 1056 wrote to memory of 1664	1056	f7619f6.exe	f7637b3.exe
PID 1056 wrote to memory of 1664	1056	f7619f6.exe	f7637b3.exe
PID 2412 wrote to memory of 1064	2412	f761b7c.exe	Dwm.exe
PID 2412 wrote to memory of 1092	2412	f761b7c.exe	taskhost.exe
PID 2412 wrote to memory of 1136	2412	f761b7c.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f7619f6.exef761b7c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7619f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761b7c.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1064

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfe037bfb2e4ddde09deaa2c144f36e7c3126d073056f8cdb32f53e8822ded7_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfe037bfb2e4ddde09deaa2c144f36e7c3126d073056f8cdb32f53e8822ded7_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\f7619f6.exe
C:\Users\Admin\AppData\Local\Temp\f7619f6.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1056

C:\Users\Admin\AppData\Local\Temp\f761b7c.exe
C:\Users\Admin\AppData\Local\Temp\f761b7c.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412

C:\Users\Admin\AppData\Local\Temp\f7637b3.exe
C:\Users\Admin\AppData\Local\Temp\f7637b3.exe
4⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1588

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
1996b42b7f0c7500bb8af03efb86acc3

SHA1
4345ac85257d901b1b7cc7f92e7e196352a17b5a

SHA256
bdcb6c571e1b24a2ae206e686b762a3db4f1b924c74634ce512c53cb9046542b

SHA512
da21d442edb1840ac38a5273e167b47fae4d1b6633e0dee31622df434f184a798296360d7dd2d429ba98156821c7b2474d7db5fbd3932118e6cdf95bfce32838

Download Submit
\Users\Admin\AppData\Local\Temp\f7619f6.exe
Filesize
97KB

MD5
e4525c09cd749123726d769945d650e6

SHA1
b53f0ec484e49bfd9e360790646ea05daf1a83d0

SHA256
b6f8aed186029cdaf60ff074642287e5d585be354fbf573c5150c2f4e04fcc78

SHA512
0782ee2c3fba0f9c8a0db4a829016cee2db0933c32d0e3724bd58a06dd088de42a66929fc07ed7bac614b601107999f1b2e2ab66125cfe4b8e98f78990513c11

Download Submit
memory/1056-60-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-61-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-12-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-14-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-62-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-19-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-21-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-45-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/1056-48-0x00000000017D0000-0x00000000017D2000-memory.dmp

Filesize
8KB

Download
memory/1056-47-0x00000000017D0000-0x00000000017D2000-memory.dmp

Filesize
8KB

Download
memory/1056-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1056-141-0x00000000017D0000-0x00000000017D2000-memory.dmp

Filesize
8KB

Download
memory/1056-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1056-142-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-105-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-77-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-78-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-20-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-16-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-102-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-100-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-22-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-58-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-59-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-18-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-17-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-15-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-64-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1056-79-0x00000000005F0000-0x00000000016AA000-memory.dmp

Filesize
16.7MB

Download
memory/1064-28-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/1664-99-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1664-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-94-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1664-97-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1664-180-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2412-154-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/2412-91-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2412-90-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2412-98-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2412-176-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2412-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2412-175-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/2588-55-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2588-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2588-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2588-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2588-44-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2588-36-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2588-72-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2588-35-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads