sality | 1f4524f08b8f68c4109884c6504de8bc1bec4b469c2ed308a13eb26c94737e56

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f4524f08b8f68c4109884c6504de8bc1bec4b469c2ed308a13eb26c94737e56_NeikiAnalytics.dll
Size

120KB
MD5

3ed77d210308adfd4d0e8ee36e3c6ff0
SHA1

f9cda03ae1a31b9047681906a834e7ec86c38b8f
SHA256

1f4524f08b8f68c4109884c6504de8bc1bec4b469c2ed308a13eb26c94737e56
SHA512

62e9ea56825c8ee0604295f2f6aa08898231a25f546c1f613ece68244b6d464364b9e2df795ecf030e370f8475bbf5bc4fc5dd7705e773ffeddc4f1549a2a973
SSDEEP

3072:2d7ZpilO/Ou3WuBTMlNQcQQx1oqQu1yPiq0:8l4lgWmTMlNQczi01Wh

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f7620e9.exef763cc2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f763cc2.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7620e9.exef763cc2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f763cc2.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f763cc2.exef7620e9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f763cc2.exe

Executes dropped EXE 3 IoCs

Processes:

f7620e9.exef76229e.exef763cc2.exe

pid process

2004 f7620e9.exe
2360 f76229e.exe
764 f763cc2.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2124 rundll32.exe
2124 rundll32.exe
2124 rundll32.exe
2124 rundll32.exe
2124 rundll32.exe
2124 rundll32.exe

pid	process
2004	f7620e9.exe
2360	f76229e.exe
764	f763cc2.exe

pid	process
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2004-12-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-16-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-19-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-14-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-21-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-17-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-15-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-22-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-20-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-18-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-61-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-63-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-62-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-65-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-64-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-67-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-68-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-81-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-82-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-84-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-103-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-105-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-115-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2004-152-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/764-167-0x0000000000910000-0x00000000019CA000-memory.dmp	upx
behavioral1/memory/764-207-0x0000000000910000-0x00000000019CA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7620e9.exef763cc2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7620e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f763cc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f763cc2.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f7620e9.exef763cc2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7620e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f763cc2.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7620e9.exef763cc2.exe

description	ioc	process
File opened (read-only)	\??\T:	f7620e9.exe
File opened (read-only)	\??\G:	f7620e9.exe
File opened (read-only)	\??\H:	f7620e9.exe
File opened (read-only)	\??\N:	f7620e9.exe
File opened (read-only)	\??\P:	f7620e9.exe
File opened (read-only)	\??\S:	f7620e9.exe
File opened (read-only)	\??\I:	f7620e9.exe
File opened (read-only)	\??\J:	f7620e9.exe
File opened (read-only)	\??\L:	f7620e9.exe
File opened (read-only)	\??\E:	f763cc2.exe
File opened (read-only)	\??\E:	f7620e9.exe
File opened (read-only)	\??\M:	f7620e9.exe
File opened (read-only)	\??\R:	f7620e9.exe
File opened (read-only)	\??\G:	f763cc2.exe
File opened (read-only)	\??\K:	f7620e9.exe
File opened (read-only)	\??\O:	f7620e9.exe
File opened (read-only)	\??\Q:	f7620e9.exe

Drops file in Windows directory 3 IoCs

Processes:

f7620e9.exef763cc2.exe

description ioc process

File created C:\Windows\f762156 f7620e9.exe
File opened for modification C:\Windows\SYSTEM.INI f7620e9.exe
File created C:\Windows\f767169 f763cc2.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f7620e9.exef763cc2.exe

pid process

2004 f7620e9.exe
2004 f7620e9.exe
764 f763cc2.exe

description	ioc	process
File created	C:\Windows\f762156	f7620e9.exe
File opened for modification	C:\Windows\SYSTEM.INI	f7620e9.exe
File created	C:\Windows\f767169	f763cc2.exe

pid	process
2004	f7620e9.exe
2004	f7620e9.exe
764	f763cc2.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f7620e9.exef763cc2.exe

description	pid	process
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	2004	f7620e9.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe
Token: SeDebugPrivilege	764	f763cc2.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef7620e9.exef763cc2.exe

description	pid	process	target process
PID 1840 wrote to memory of 2124	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 2124	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 2124	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 2124	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 2124	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 2124	1840	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 2124	1840	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 2004	2124	rundll32.exe	f7620e9.exe
PID 2124 wrote to memory of 2004	2124	rundll32.exe	f7620e9.exe
PID 2124 wrote to memory of 2004	2124	rundll32.exe	f7620e9.exe
PID 2124 wrote to memory of 2004	2124	rundll32.exe	f7620e9.exe
PID 2004 wrote to memory of 1076	2004	f7620e9.exe	taskhost.exe
PID 2004 wrote to memory of 1152	2004	f7620e9.exe	Dwm.exe
PID 2004 wrote to memory of 1180	2004	f7620e9.exe	Explorer.EXE
PID 2004 wrote to memory of 2128	2004	f7620e9.exe	DllHost.exe
PID 2004 wrote to memory of 1840	2004	f7620e9.exe	rundll32.exe
PID 2004 wrote to memory of 2124	2004	f7620e9.exe	rundll32.exe
PID 2004 wrote to memory of 2124	2004	f7620e9.exe	rundll32.exe
PID 2124 wrote to memory of 2360	2124	rundll32.exe	f76229e.exe
PID 2124 wrote to memory of 2360	2124	rundll32.exe	f76229e.exe
PID 2124 wrote to memory of 2360	2124	rundll32.exe	f76229e.exe
PID 2124 wrote to memory of 2360	2124	rundll32.exe	f76229e.exe
PID 2124 wrote to memory of 764	2124	rundll32.exe	f763cc2.exe
PID 2124 wrote to memory of 764	2124	rundll32.exe	f763cc2.exe
PID 2124 wrote to memory of 764	2124	rundll32.exe	f763cc2.exe
PID 2124 wrote to memory of 764	2124	rundll32.exe	f763cc2.exe
PID 2004 wrote to memory of 1076	2004	f7620e9.exe	taskhost.exe
PID 2004 wrote to memory of 1152	2004	f7620e9.exe	Dwm.exe
PID 2004 wrote to memory of 1180	2004	f7620e9.exe	Explorer.EXE
PID 2004 wrote to memory of 2360	2004	f7620e9.exe	f76229e.exe
PID 2004 wrote to memory of 2360	2004	f7620e9.exe	f76229e.exe
PID 2004 wrote to memory of 764	2004	f7620e9.exe	f763cc2.exe
PID 2004 wrote to memory of 764	2004	f7620e9.exe	f763cc2.exe
PID 764 wrote to memory of 1076	764	f763cc2.exe	taskhost.exe
PID 764 wrote to memory of 1152	764	f763cc2.exe	Dwm.exe
PID 764 wrote to memory of 1180	764	f763cc2.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f763cc2.exef7620e9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f763cc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7620e9.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1076

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f4524f08b8f68c4109884c6504de8bc1bec4b469c2ed308a13eb26c94737e56_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f4524f08b8f68c4109884c6504de8bc1bec4b469c2ed308a13eb26c94737e56_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\f7620e9.exe
C:\Users\Admin\AppData\Local\Temp\f7620e9.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2004

C:\Users\Admin\AppData\Local\Temp\f76229e.exe
C:\Users\Admin\AppData\Local\Temp\f76229e.exe
4⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\AppData\Local\Temp\f763cc2.exe
C:\Users\Admin\AppData\Local\Temp\f763cc2.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2128

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f7620e9.exe
Filesize
97KB

MD5
6ce4fa4e3a67c23cac677004a1f5b627

SHA1
80d2ce03e9df38c14a863d4011b9f928aacb5f73

SHA256
23e85fe3a59f6b23cb3b67e597911aafaf99c9d2961a3575aa040cc287055af2

SHA512
5b65acd49eeb8e0e76b7ed9a4556c71b5066a9521f0bcbf38ff42bbe149b1e407f0c3a529b74eb2a3121a86cc92f3e903ad3b02eba419cabebb011ba2daee34d

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
42d093c973126b3d9df88b74f51f7fb9

SHA1
b3b993e655d46b97408fa15b89c2fc30daa684ba

SHA256
b482f2372a1298056d29d817acd7ec1638969bb25d7805b2575107f156093561

SHA512
43ddb6ac60af8e7ae9b48a92ae8378f7c3c4543c4c1b47a33d8a6b0babac995be99d2848af61a287e4ed3ef0416707dbd035704480fe2a5a45795edead057ee4

Download Submit
memory/764-207-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/764-206-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/764-167-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/764-102-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/764-100-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/764-99-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/764-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1076-28-0x00000000020B0000-0x00000000020B2000-memory.dmp

Filesize
8KB

Download
memory/2004-61-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-67-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-12-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-56-0x0000000002D80000-0x0000000002D82000-memory.dmp

Filesize
8KB

Download
memory/2004-151-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-152-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-21-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-115-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-105-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-46-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2004-17-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-15-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-22-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-20-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-18-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-103-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-63-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-62-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-65-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-64-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-16-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-68-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-48-0x0000000002D80000-0x0000000002D82000-memory.dmp

Filesize
8KB

Download
memory/2004-81-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-82-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-84-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-19-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2004-14-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-37-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2124-59-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2124-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2124-36-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2124-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-45-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2124-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-55-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2360-93-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2360-179-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2360-94-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2360-101-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads