sality | 344a45f9a3ba56a1615a9b04e89b5f0ac04f752340c874f9f3fa66e67b65b3dd

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

344a45f9a3ba56a1615a9b04e89b5f0ac04f752340c874f9f3fa66e67b65b3dd_NeikiAnalytics.dll
Size

120KB
MD5

c9c0e23a7942d0ff6ac03f2482e25f30
SHA1

706d6aa8b7ce0155ab431d0fe7a95577da39042f
SHA256

344a45f9a3ba56a1615a9b04e89b5f0ac04f752340c874f9f3fa66e67b65b3dd
SHA512

27fb3feff7bfe1e555a6729962fc0699ad79500cdb90c7a736a54d1da6d0c1bf8494c16828a98ee23ec70b9de7b9ab9f9797bca0bb644a1931e6a7425416b27e
SSDEEP

1536:I/d/Hy/nqQcZU4kb0UGKDZHyYJUbbWLzoj68fu9hoCpX30sTR/gQOrSXl:IVfrQcGnGod8bCzojE9qC1pR/5s

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f762378.exef7607be.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7607be.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7607be.exef762378.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762378.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7607be.exef762378.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7607be.exe

Executes dropped EXE 3 IoCs

Processes:

f7607be.exef760973.exef762378.exe

pid process

2016 f7607be.exe
2888 f760973.exe
2156 f762378.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

3024 rundll32.exe
3024 rundll32.exe
3024 rundll32.exe
3024 rundll32.exe
3024 rundll32.exe
3024 rundll32.exe

pid	process
2016	f7607be.exe
2888	f760973.exe
2156	f762378.exe

pid	process
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2016-14-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-12-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-15-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-18-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-20-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-21-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-22-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-19-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-17-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-16-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-62-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-63-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-64-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-65-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-66-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-68-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-69-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-84-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-87-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-90-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2016-158-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2156-175-0x0000000000910000-0x00000000019CA000-memory.dmp	upx
behavioral1/memory/2156-214-0x0000000000910000-0x00000000019CA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7607be.exef762378.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7607be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762378.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762378.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f7607be.exef762378.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762378.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7607be.exef762378.exe

description	ioc	process
File opened (read-only)	\??\O:	f7607be.exe
File opened (read-only)	\??\Q:	f7607be.exe
File opened (read-only)	\??\G:	f762378.exe
File opened (read-only)	\??\H:	f7607be.exe
File opened (read-only)	\??\K:	f7607be.exe
File opened (read-only)	\??\L:	f7607be.exe
File opened (read-only)	\??\M:	f7607be.exe
File opened (read-only)	\??\N:	f7607be.exe
File opened (read-only)	\??\P:	f7607be.exe
File opened (read-only)	\??\R:	f7607be.exe
File opened (read-only)	\??\E:	f7607be.exe
File opened (read-only)	\??\J:	f7607be.exe
File opened (read-only)	\??\S:	f7607be.exe
File opened (read-only)	\??\G:	f7607be.exe
File opened (read-only)	\??\I:	f7607be.exe
File opened (read-only)	\??\E:	f762378.exe

Drops file in Windows directory 3 IoCs

Processes:

f7607be.exef762378.exe

description ioc process

File created C:\Windows\f76083b f7607be.exe
File opened for modification C:\Windows\SYSTEM.INI f7607be.exe
File created C:\Windows\f76585d f762378.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f7607be.exef762378.exe

pid process

2016 f7607be.exe
2016 f7607be.exe
2156 f762378.exe

description	ioc	process
File created	C:\Windows\f76083b	f7607be.exe
File opened for modification	C:\Windows\SYSTEM.INI	f7607be.exe
File created	C:\Windows\f76585d	f762378.exe

pid	process
2016	f7607be.exe
2016	f7607be.exe
2156	f762378.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f7607be.exef762378.exe

description	pid	process
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2016	f7607be.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe
Token: SeDebugPrivilege	2156	f762378.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef7607be.exef762378.exe

description	pid	process	target process
PID 3000 wrote to memory of 3024	3000	rundll32.exe	rundll32.exe
PID 3000 wrote to memory of 3024	3000	rundll32.exe	rundll32.exe
PID 3000 wrote to memory of 3024	3000	rundll32.exe	rundll32.exe
PID 3000 wrote to memory of 3024	3000	rundll32.exe	rundll32.exe
PID 3000 wrote to memory of 3024	3000	rundll32.exe	rundll32.exe
PID 3000 wrote to memory of 3024	3000	rundll32.exe	rundll32.exe
PID 3000 wrote to memory of 3024	3000	rundll32.exe	rundll32.exe
PID 3024 wrote to memory of 2016	3024	rundll32.exe	f7607be.exe
PID 3024 wrote to memory of 2016	3024	rundll32.exe	f7607be.exe
PID 3024 wrote to memory of 2016	3024	rundll32.exe	f7607be.exe
PID 3024 wrote to memory of 2016	3024	rundll32.exe	f7607be.exe
PID 2016 wrote to memory of 1108	2016	f7607be.exe	taskhost.exe
PID 2016 wrote to memory of 1168	2016	f7607be.exe	Dwm.exe
PID 2016 wrote to memory of 1228	2016	f7607be.exe	Explorer.EXE
PID 2016 wrote to memory of 1876	2016	f7607be.exe	DllHost.exe
PID 2016 wrote to memory of 3000	2016	f7607be.exe	rundll32.exe
PID 2016 wrote to memory of 3024	2016	f7607be.exe	rundll32.exe
PID 2016 wrote to memory of 3024	2016	f7607be.exe	rundll32.exe
PID 3024 wrote to memory of 2888	3024	rundll32.exe	f760973.exe
PID 3024 wrote to memory of 2888	3024	rundll32.exe	f760973.exe
PID 3024 wrote to memory of 2888	3024	rundll32.exe	f760973.exe
PID 3024 wrote to memory of 2888	3024	rundll32.exe	f760973.exe
PID 3024 wrote to memory of 2156	3024	rundll32.exe	f762378.exe
PID 3024 wrote to memory of 2156	3024	rundll32.exe	f762378.exe
PID 3024 wrote to memory of 2156	3024	rundll32.exe	f762378.exe
PID 3024 wrote to memory of 2156	3024	rundll32.exe	f762378.exe
PID 2016 wrote to memory of 1108	2016	f7607be.exe	taskhost.exe
PID 2016 wrote to memory of 1168	2016	f7607be.exe	Dwm.exe
PID 2016 wrote to memory of 1228	2016	f7607be.exe	Explorer.EXE
PID 2016 wrote to memory of 2888	2016	f7607be.exe	f760973.exe
PID 2016 wrote to memory of 2888	2016	f7607be.exe	f760973.exe
PID 2016 wrote to memory of 2156	2016	f7607be.exe	f762378.exe
PID 2016 wrote to memory of 2156	2016	f7607be.exe	f762378.exe
PID 2156 wrote to memory of 1108	2156	f762378.exe	taskhost.exe
PID 2156 wrote to memory of 1168	2156	f762378.exe	Dwm.exe
PID 2156 wrote to memory of 1228	2156	f762378.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f7607be.exef762378.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7607be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762378.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\344a45f9a3ba56a1615a9b04e89b5f0ac04f752340c874f9f3fa66e67b65b3dd_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\344a45f9a3ba56a1615a9b04e89b5f0ac04f752340c874f9f3fa66e67b65b3dd_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\f7607be.exe
C:\Users\Admin\AppData\Local\Temp\f7607be.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2016

C:\Users\Admin\AppData\Local\Temp\f760973.exe
C:\Users\Admin\AppData\Local\Temp\f760973.exe
4⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\AppData\Local\Temp\f762378.exe
C:\Users\Admin\AppData\Local\Temp\f762378.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1876

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
b3f8936db039a7bd1acd61b9b9ee23e7

SHA1
4008d6583aac2d6edd47f9e85755446d4a9fc9f2

SHA256
c45fc09d17b712e3fa3b8e7e38a4d768c9c2d59b1695733d3797ac22f49e165c

SHA512
a68b92f1abbedbb5564f848195ada957d6aff6eeea0331781b472343a14ee9279fd0f3ab8e9a66ab9020bdf26714ca8e756bf7422b1b4e9106b7b8623b62f9fa

Download Submit
\Users\Admin\AppData\Local\Temp\f7607be.exe
Filesize
97KB

MD5
7fddc2fdfd26d476b0da35f6e5ca3ebb

SHA1
73ad09d1825a268003c827175b8f8c312331f33e

SHA256
96fada3f43455efa792f54729f4ab4c2b51b5fb7df9dfd259f67bee58a76ac99

SHA512
9ab60738f6df6af66534e22e96df01930e5a049cb43a6049eeb21a915ae67bd954c8a11543ce183d4cd482df02d45aa40bbdb66d77a42faf64a7c8fb96411791

Download Submit
memory/1108-23-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download
memory/2016-62-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-17-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-14-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-65-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2016-12-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-64-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-18-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-20-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-21-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-159-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2016-22-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-19-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-66-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-16-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-41-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2016-158-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-128-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/2016-63-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-90-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-87-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-61-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/2016-60-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/2016-84-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-69-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-15-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2016-68-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2156-213-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2156-107-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2156-214-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/2156-175-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/2156-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2156-106-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2156-109-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2888-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2888-100-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2888-169-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2888-99-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2888-108-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/3024-9-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/3024-81-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/3024-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3024-80-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download
memory/3024-50-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/3024-31-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/3024-42-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/3024-32-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/3024-78-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/3024-52-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/3024-10-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/3024-53-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads