sality | 71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll
Size

120KB
MD5

163cf396957170cb78de1e659bbecaa0
SHA1

426dba85964e52866c3e72bbc0e6126f9158c538
SHA256

71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db
SHA512

f82ba9eb52ec3668ee28b433d48c2be681eca37db7ad0b52ac7edc45cf5450e395309979f39e4060e0d84cebbfbd12ab489bf9c2a893935e80affdddcafe31f4
SSDEEP

1536:QOwGisdzxX3ciMB6Gipx1X9zsBYgMDSMRFGtq9lLMxec5w3Z9UJuf+3aZpJ3r+Eb:Qzs1iiMgGA9zg/MPhr3Z90qZjf

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f766a28.exef76847b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f76847b.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f766a28.exef76847b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76847b.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76847b.exef766a28.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76847b.exe

Executes dropped EXE 3 IoCs

Processes:

f766a28.exef766d82.exef76847b.exe

pid process

2076 f766a28.exe
2640 f766d82.exe
2544 f76847b.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2204 rundll32.exe
2204 rundll32.exe
2204 rundll32.exe
2204 rundll32.exe
2204 rundll32.exe
2204 rundll32.exe

pid	process
2076	f766a28.exe
2640	f766d82.exe
2544	f76847b.exe

pid	process
2204	rundll32.exe
2204	rundll32.exe
2204	rundll32.exe
2204	rundll32.exe
2204	rundll32.exe
2204	rundll32.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2076-12-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-16-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-19-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-18-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-14-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-22-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-20-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-17-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-15-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-21-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-73-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-74-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-75-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-76-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-78-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-77-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-80-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-101-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2076-104-0x0000000000590000-0x000000000164A000-memory.dmp	upx
behavioral1/memory/2544-127-0x0000000000920000-0x00000000019DA000-memory.dmp	upx
behavioral1/memory/2544-165-0x0000000000920000-0x00000000019DA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f766a28.exef76847b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76847b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f766a28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76847b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f766a28.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f766a28.exef76847b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76847b.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

f766a28.exe

description ioc process

File opened (read-only) \??\G: f766a28.exe
File opened (read-only) \??\E: f766a28.exe
Drops file in Windows directory 3 IoCs

Processes:

f766a28.exef76847b.exe

description ioc process

File created C:\Windows\f766af3 f766a28.exe
File opened for modification C:\Windows\SYSTEM.INI f766a28.exe
File created C:\Windows\f76c755 f76847b.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f766a28.exef76847b.exe

pid process

2076 f766a28.exe
2076 f766a28.exe
2544 f76847b.exe

description	ioc	process
File opened (read-only)	\??\G:	f766a28.exe
File opened (read-only)	\??\E:	f766a28.exe

description	ioc	process
File created	C:\Windows\f766af3	f766a28.exe
File opened for modification	C:\Windows\SYSTEM.INI	f766a28.exe
File created	C:\Windows\f76c755	f76847b.exe

pid	process
2076	f766a28.exe
2076	f766a28.exe
2544	f76847b.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f766a28.exef76847b.exe

description	pid	process
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2076	f766a28.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe
Token: SeDebugPrivilege	2544	f76847b.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef766a28.exef76847b.exe

description	pid	process	target process
PID 2176 wrote to memory of 2204	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 2204	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 2204	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 2204	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 2204	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 2204	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 2204	2176	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 2076	2204	rundll32.exe	f766a28.exe
PID 2204 wrote to memory of 2076	2204	rundll32.exe	f766a28.exe
PID 2204 wrote to memory of 2076	2204	rundll32.exe	f766a28.exe
PID 2204 wrote to memory of 2076	2204	rundll32.exe	f766a28.exe
PID 2076 wrote to memory of 1200	2076	f766a28.exe	taskhost.exe
PID 2076 wrote to memory of 1284	2076	f766a28.exe	Dwm.exe
PID 2076 wrote to memory of 1344	2076	f766a28.exe	Explorer.EXE
PID 2076 wrote to memory of 1088	2076	f766a28.exe	DllHost.exe
PID 2076 wrote to memory of 2176	2076	f766a28.exe	rundll32.exe
PID 2076 wrote to memory of 2204	2076	f766a28.exe	rundll32.exe
PID 2076 wrote to memory of 2204	2076	f766a28.exe	rundll32.exe
PID 2204 wrote to memory of 2640	2204	rundll32.exe	f766d82.exe
PID 2204 wrote to memory of 2640	2204	rundll32.exe	f766d82.exe
PID 2204 wrote to memory of 2640	2204	rundll32.exe	f766d82.exe
PID 2204 wrote to memory of 2640	2204	rundll32.exe	f766d82.exe
PID 2204 wrote to memory of 2544	2204	rundll32.exe	f76847b.exe
PID 2204 wrote to memory of 2544	2204	rundll32.exe	f76847b.exe
PID 2204 wrote to memory of 2544	2204	rundll32.exe	f76847b.exe
PID 2204 wrote to memory of 2544	2204	rundll32.exe	f76847b.exe
PID 2076 wrote to memory of 1200	2076	f766a28.exe	taskhost.exe
PID 2076 wrote to memory of 1284	2076	f766a28.exe	Dwm.exe
PID 2076 wrote to memory of 1344	2076	f766a28.exe	Explorer.EXE
PID 2076 wrote to memory of 2640	2076	f766a28.exe	f766d82.exe
PID 2076 wrote to memory of 2640	2076	f766a28.exe	f766d82.exe
PID 2076 wrote to memory of 2544	2076	f766a28.exe	f76847b.exe
PID 2076 wrote to memory of 2544	2076	f766a28.exe	f76847b.exe
PID 2544 wrote to memory of 1200	2544	f76847b.exe	taskhost.exe
PID 2544 wrote to memory of 1284	2544	f76847b.exe	Dwm.exe
PID 2544 wrote to memory of 1344	2544	f76847b.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f766a28.exef76847b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f766a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76847b.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1200

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1284

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\f766a28.exe
C:\Users\Admin\AppData\Local\Temp\f766a28.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2076

C:\Users\Admin\AppData\Local\Temp\f766d82.exe
C:\Users\Admin\AppData\Local\Temp\f766d82.exe
4⤵
- Executes dropped EXE
PID:2640

C:\Users\Admin\AppData\Local\Temp\f76847b.exe
C:\Users\Admin\AppData\Local\Temp\f76847b.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1088

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
8be216fcd282503561658d028c3677b6

SHA1
4df669f0dc1ac74112c12f3ee02f4ea3748b888a

SHA256
98e4f165713947c538e0e7d5ae22a0d0782d16b647ca00c1080ccdef238e87d7

SHA512
6374b6b0b77a0454eed17287c65fe0145cea900c43a563a2ce56372654276a399c2a1fc5c423584040dd933031ca6c470e0c989df03d043ef00ee112e7f34b23

Download Submit
\Users\Admin\AppData\Local\Temp\f766a28.exe
Filesize
97KB

MD5
3f0ee0071f010b0a817514b9fce4796a

SHA1
3360f62f7bf1b184463bf5bac9ac1414b4769f0e

SHA256
3ab4f11430c87411c6110c1a827c7ba20ce0b230cef11a0d7b773e19c9050393

SHA512
4f445dcd0ee76c93d484e6e1303de2407f61517620260a6c62d759cd24c734c7fd74ad7f53acb10dbb2e0b06b6642994057377befbcd07fa6456f0dd738c7ada

Download Submit
memory/1200-28-0x0000000001C40000-0x0000000001C42000-memory.dmp

Filesize
8KB

Download
memory/2076-14-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-47-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/2076-12-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-16-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-19-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-104-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-101-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-18-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-99-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/2076-80-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-74-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-22-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-121-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-20-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-45-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/2076-77-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-17-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-78-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-15-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-21-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-50-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/2076-76-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-75-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-73-0x0000000000590000-0x000000000164A000-memory.dmp

Filesize
16.7MB

Download
memory/2204-36-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2204-63-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2204-69-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2204-56-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2204-44-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2204-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2204-35-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2204-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2204-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2204-57-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2544-97-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2544-100-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2544-98-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2544-127-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/2544-164-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2544-165-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/2640-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2640-89-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2640-95-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2640-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2640-96-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads