sality | 18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59

Analysis

max time kernel
25s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59_NeikiAnalytics.dll
Size

120KB
MD5

1e780fa39773470b975a00ae19e9cba0
SHA1

297e703f82720d898c24cfee969fc24a53097d6b
SHA256

18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59
SHA512

393e58e57b71bbe43879cb011627927f8885dc11949ca26ea9c7b66d7c0c978482396cac3c6bdd1913f4ecb61eede28a63b0ecfc58553353b0dae1c6ed2c8977
SSDEEP

1536:+ybxmzXHfDmrbVBN0YwU9lkrxekG3f3a9ZCj4HigcWmE+uQMHZMujj:BxWX6bVB2faOxePau4CJWmTM5Mu

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f762868.exef760cae.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f760cae.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f760cae.exef762868.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762868.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f762868.exef760cae.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762868.exe

Executes dropped EXE 3 IoCs

Processes:

f760cae.exef760e62.exef762868.exe

pid process

2464 f760cae.exe
2648 f760e62.exe
1736 f762868.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2324 rundll32.exe
2324 rundll32.exe
2324 rundll32.exe
2324 rundll32.exe
2324 rundll32.exe
2324 rundll32.exe

pid	process
2464	f760cae.exe
2648	f760e62.exe
1736	f762868.exe

pid	process
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2464-17-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-22-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-24-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-20-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-23-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-21-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-15-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-19-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-18-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-16-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-63-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-64-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-65-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-67-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-66-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-69-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-70-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-83-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-86-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-87-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-105-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-106-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-123-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2464-154-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/1736-175-0x0000000000920000-0x00000000019DA000-memory.dmp	upx
behavioral1/memory/1736-208-0x0000000000920000-0x00000000019DA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f760cae.exef762868.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760cae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762868.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760cae.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f760cae.exef762868.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762868.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f760cae.exef762868.exe

description	ioc	process
File opened (read-only)	\??\T:	f760cae.exe
File opened (read-only)	\??\E:	f762868.exe
File opened (read-only)	\??\E:	f760cae.exe
File opened (read-only)	\??\I:	f760cae.exe
File opened (read-only)	\??\L:	f760cae.exe
File opened (read-only)	\??\M:	f760cae.exe
File opened (read-only)	\??\N:	f760cae.exe
File opened (read-only)	\??\S:	f760cae.exe
File opened (read-only)	\??\Q:	f760cae.exe
File opened (read-only)	\??\G:	f760cae.exe
File opened (read-only)	\??\P:	f760cae.exe
File opened (read-only)	\??\R:	f760cae.exe
File opened (read-only)	\??\H:	f760cae.exe
File opened (read-only)	\??\J:	f760cae.exe
File opened (read-only)	\??\K:	f760cae.exe
File opened (read-only)	\??\O:	f760cae.exe

Drops file in Windows directory 3 IoCs

Processes:

f760cae.exef762868.exe

description ioc process

File created C:\Windows\f760cfc f760cae.exe
File opened for modification C:\Windows\SYSTEM.INI f760cae.exe
File created C:\Windows\f765d5c f762868.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f760cae.exef762868.exe

pid process

2464 f760cae.exe
2464 f760cae.exe
1736 f762868.exe

description	ioc	process
File created	C:\Windows\f760cfc	f760cae.exe
File opened for modification	C:\Windows\SYSTEM.INI	f760cae.exe
File created	C:\Windows\f765d5c	f762868.exe

pid	process
2464	f760cae.exe
2464	f760cae.exe
1736	f762868.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f760cae.exef762868.exe

description	pid	process
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	2464	f760cae.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe
Token: SeDebugPrivilege	1736	f762868.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef760cae.exef762868.exe

description	pid	process	target process
PID 2052 wrote to memory of 2324	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2324	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2324	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2324	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2324	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2324	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2324	2052	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2464	2324	rundll32.exe	f760cae.exe
PID 2324 wrote to memory of 2464	2324	rundll32.exe	f760cae.exe
PID 2324 wrote to memory of 2464	2324	rundll32.exe	f760cae.exe
PID 2324 wrote to memory of 2464	2324	rundll32.exe	f760cae.exe
PID 2464 wrote to memory of 1112	2464	f760cae.exe	taskhost.exe
PID 2464 wrote to memory of 1172	2464	f760cae.exe	Dwm.exe
PID 2464 wrote to memory of 1212	2464	f760cae.exe	Explorer.EXE
PID 2464 wrote to memory of 1760	2464	f760cae.exe	DllHost.exe
PID 2464 wrote to memory of 2052	2464	f760cae.exe	rundll32.exe
PID 2464 wrote to memory of 2324	2464	f760cae.exe	rundll32.exe
PID 2464 wrote to memory of 2324	2464	f760cae.exe	rundll32.exe
PID 2324 wrote to memory of 2648	2324	rundll32.exe	f760e62.exe
PID 2324 wrote to memory of 2648	2324	rundll32.exe	f760e62.exe
PID 2324 wrote to memory of 2648	2324	rundll32.exe	f760e62.exe
PID 2324 wrote to memory of 2648	2324	rundll32.exe	f760e62.exe
PID 2324 wrote to memory of 1736	2324	rundll32.exe	f762868.exe
PID 2324 wrote to memory of 1736	2324	rundll32.exe	f762868.exe
PID 2324 wrote to memory of 1736	2324	rundll32.exe	f762868.exe
PID 2324 wrote to memory of 1736	2324	rundll32.exe	f762868.exe
PID 2464 wrote to memory of 1112	2464	f760cae.exe	taskhost.exe
PID 2464 wrote to memory of 1172	2464	f760cae.exe	Dwm.exe
PID 2464 wrote to memory of 1212	2464	f760cae.exe	Explorer.EXE
PID 2464 wrote to memory of 2648	2464	f760cae.exe	f760e62.exe
PID 2464 wrote to memory of 2648	2464	f760cae.exe	f760e62.exe
PID 2464 wrote to memory of 1736	2464	f760cae.exe	f762868.exe
PID 2464 wrote to memory of 1736	2464	f760cae.exe	f762868.exe
PID 1736 wrote to memory of 1112	1736	f762868.exe	taskhost.exe
PID 1736 wrote to memory of 1172	1736	f762868.exe	Dwm.exe
PID 1736 wrote to memory of 1212	1736	f762868.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f760cae.exef762868.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760cae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762868.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\f760cae.exe
C:\Users\Admin\AppData\Local\Temp\f760cae.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2464

C:\Users\Admin\AppData\Local\Temp\f760e62.exe
C:\Users\Admin\AppData\Local\Temp\f760e62.exe
4⤵
- Executes dropped EXE
PID:2648

C:\Users\Admin\AppData\Local\Temp\f762868.exe
C:\Users\Admin\AppData\Local\Temp\f762868.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1760

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f760cae.exe
Filesize
97KB

MD5
4505cd2142c15dec99db268a11dbf60c

SHA1
071fde03004b546939e48ceaa499f780fdb35902

SHA256
6def2c041278768190a966cf89f5dd41a01fb313834a6ba3fe097502fde8913e

SHA512
0c2ab9ceb51d5b0d644ac82dba03a015fc1cdcfc67663cb829a89f436c01a4af3daa0c5aae24bf6168f93c065bb911eb40741c6c8292692d151b096c7bb60701

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
e6e9c71fae99d316bb2ef64d9285b002

SHA1
bfaee4662ce3bd88c1c0f7d516fdc62e3597c605

SHA256
9eb2882918efe591c5a0e38e19479daf28789793e341dd58d28aa3b58c79d275

SHA512
c853a93996ea92ecb9f4b2001033770600964db75a9a344c01ce5665369f0ecedc214d4698ce12fac7d66b0b3847fbd06ede0938534b7ae6afca507087ca3833

Download Submit
memory/1112-30-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1736-208-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/1736-101-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1736-82-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1736-104-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1736-209-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1736-175-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/1736-102-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2324-60-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2324-5-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2324-2-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2324-39-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2324-38-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2324-11-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2324-61-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2324-47-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2324-57-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2324-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2464-16-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-87-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-15-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-19-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-18-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2464-23-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-63-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-64-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-65-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-67-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-66-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-69-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-70-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-20-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-83-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-86-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-21-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-17-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-24-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-105-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-106-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-48-0x0000000003D20000-0x0000000003D21000-memory.dmp

Filesize
4KB

Download
memory/2464-50-0x0000000002FC0000-0x0000000002FC2000-memory.dmp

Filesize
8KB

Download
memory/2464-59-0x0000000002FC0000-0x0000000002FC2000-memory.dmp

Filesize
8KB

Download
memory/2464-22-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-123-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2464-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2464-154-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2648-158-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2648-95-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2648-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2648-96-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2648-103-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads