sality | 3c7c4fb91d8fff627be8e172b06c34af10a1a18710d4e5fc05016101b66d43b5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c7c4fb91d8fff627be8e172b06c34af10a1a18710d4e5fc05016101b66d43b5_NeikiAnalytics.dll
Size

120KB
MD5

e2ac3fdf10345cd2106370d97b580be0
SHA1

8a2c41b57c0f7a137dcbd0b7de0585bd0fb24792
SHA256

3c7c4fb91d8fff627be8e172b06c34af10a1a18710d4e5fc05016101b66d43b5
SHA512

f0e267c275377309d51123f9fe81c70626cde36e47de25bbedd2842ecb7806e249cf76e682043f3d7b38e9732800c1170a9f45a6f9a5fd14f6c92bf1a2d8fe75
SSDEEP

3072:Uxw6xEFUc0tWv9B9GT+f4RkYxUlNPXXtznfhQv0:U6uUp9XffJlNPXdTGv

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f7614b9.exef763054.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f763054.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7614b9.exef763054.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f763054.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7614b9.exef763054.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f763054.exe

Executes dropped EXE 3 IoCs

Processes:

f7614b9.exef76166e.exef763054.exe

pid process

2224 f7614b9.exe
2448 f76166e.exe
1556 f763054.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2920 rundll32.exe
2920 rundll32.exe
2920 rundll32.exe
2920 rundll32.exe
2920 rundll32.exe
2920 rundll32.exe

pid	process
2224	f7614b9.exe
2448	f76166e.exe
1556	f763054.exe

pid	process
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2224-14-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-17-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-19-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-20-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-22-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-18-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-16-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-23-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-15-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-21-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-61-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-62-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-63-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-64-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-65-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-80-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-81-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-82-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-103-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-106-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-108-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-109-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2224-146-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/1556-162-0x0000000000A60000-0x0000000001B1A000-memory.dmp	upx
behavioral1/memory/1556-199-0x0000000000A60000-0x0000000001B1A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7614b9.exef763054.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f763054.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f763054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f763054.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f763054.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f7614b9.exef763054.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f763054.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7614b9.exef763054.exe

description	ioc	process
File opened (read-only)	\??\J:	f7614b9.exe
File opened (read-only)	\??\K:	f7614b9.exe
File opened (read-only)	\??\Q:	f7614b9.exe
File opened (read-only)	\??\E:	f763054.exe
File opened (read-only)	\??\H:	f7614b9.exe
File opened (read-only)	\??\I:	f7614b9.exe
File opened (read-only)	\??\N:	f7614b9.exe
File opened (read-only)	\??\G:	f763054.exe
File opened (read-only)	\??\G:	f7614b9.exe
File opened (read-only)	\??\L:	f7614b9.exe
File opened (read-only)	\??\M:	f7614b9.exe
File opened (read-only)	\??\O:	f7614b9.exe
File opened (read-only)	\??\P:	f7614b9.exe
File opened (read-only)	\??\E:	f7614b9.exe

Drops file in Windows directory 3 IoCs

Processes:

f763054.exef7614b9.exe

description ioc process

File created C:\Windows\f7665d5 f763054.exe
File created C:\Windows\f761516 f7614b9.exe
File opened for modification C:\Windows\SYSTEM.INI f7614b9.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f7614b9.exef763054.exe

pid process

2224 f7614b9.exe
2224 f7614b9.exe
1556 f763054.exe

description	ioc	process
File created	C:\Windows\f7665d5	f763054.exe
File created	C:\Windows\f761516	f7614b9.exe
File opened for modification	C:\Windows\SYSTEM.INI	f7614b9.exe

pid	process
2224	f7614b9.exe
2224	f7614b9.exe
1556	f763054.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f7614b9.exef763054.exe

description	pid	process
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	2224	f7614b9.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe
Token: SeDebugPrivilege	1556	f763054.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef7614b9.exef763054.exe

description	pid	process	target process
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2224	2920	rundll32.exe	f7614b9.exe
PID 2920 wrote to memory of 2224	2920	rundll32.exe	f7614b9.exe
PID 2920 wrote to memory of 2224	2920	rundll32.exe	f7614b9.exe
PID 2920 wrote to memory of 2224	2920	rundll32.exe	f7614b9.exe
PID 2224 wrote to memory of 1040	2224	f7614b9.exe	Dwm.exe
PID 2224 wrote to memory of 1056	2224	f7614b9.exe	taskhost.exe
PID 2224 wrote to memory of 1100	2224	f7614b9.exe	Explorer.EXE
PID 2224 wrote to memory of 2308	2224	f7614b9.exe	DllHost.exe
PID 2224 wrote to memory of 2860	2224	f7614b9.exe	rundll32.exe
PID 2224 wrote to memory of 2920	2224	f7614b9.exe	rundll32.exe
PID 2224 wrote to memory of 2920	2224	f7614b9.exe	rundll32.exe
PID 2920 wrote to memory of 2448	2920	rundll32.exe	f76166e.exe
PID 2920 wrote to memory of 2448	2920	rundll32.exe	f76166e.exe
PID 2920 wrote to memory of 2448	2920	rundll32.exe	f76166e.exe
PID 2920 wrote to memory of 2448	2920	rundll32.exe	f76166e.exe
PID 2920 wrote to memory of 1556	2920	rundll32.exe	f763054.exe
PID 2920 wrote to memory of 1556	2920	rundll32.exe	f763054.exe
PID 2920 wrote to memory of 1556	2920	rundll32.exe	f763054.exe
PID 2920 wrote to memory of 1556	2920	rundll32.exe	f763054.exe
PID 2224 wrote to memory of 1040	2224	f7614b9.exe	Dwm.exe
PID 2224 wrote to memory of 1056	2224	f7614b9.exe	taskhost.exe
PID 2224 wrote to memory of 1100	2224	f7614b9.exe	Explorer.EXE
PID 2224 wrote to memory of 2448	2224	f7614b9.exe	f76166e.exe
PID 2224 wrote to memory of 2448	2224	f7614b9.exe	f76166e.exe
PID 2224 wrote to memory of 1556	2224	f7614b9.exe	f763054.exe
PID 2224 wrote to memory of 1556	2224	f7614b9.exe	f763054.exe
PID 1556 wrote to memory of 1040	1556	f763054.exe	Dwm.exe
PID 1556 wrote to memory of 1056	1556	f763054.exe	taskhost.exe
PID 1556 wrote to memory of 1100	1556	f763054.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f7614b9.exef763054.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7614b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f763054.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1040

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1056

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7c4fb91d8fff627be8e172b06c34af10a1a18710d4e5fc05016101b66d43b5_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7c4fb91d8fff627be8e172b06c34af10a1a18710d4e5fc05016101b66d43b5_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\f7614b9.exe
C:\Users\Admin\AppData\Local\Temp\f7614b9.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2224

C:\Users\Admin\AppData\Local\Temp\f76166e.exe
C:\Users\Admin\AppData\Local\Temp\f76166e.exe
4⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Temp\f763054.exe
C:\Users\Admin\AppData\Local\Temp\f763054.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2308

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
cb9e38f3f12cade9ce21d92fe6f3793b

SHA1
f8352f7155f893af9b5de49e26c87ae02024c043

SHA256
8e9e07df92fd352ae2a69e5663c26fc6dd7358985e8c3caea1555ec7fd1afc7d

SHA512
8b84d69d578c89e4e1eb281a0085e22374090186657e3e540eedbf0b19cce89a7df10e6d063be43f1917a0053241f04b9fdfe93985a2433a472b4d6ad767d782

Download Submit
\Users\Admin\AppData\Local\Temp\f7614b9.exe
Filesize
97KB

MD5
be65a3ce9934a24d4bbded1c0a6c4d3b

SHA1
549d8dec702cc163d90cb011acc01e8b0836a526

SHA256
271dc846455e0da64e1bd03fbe9fe49e0e6cd47cd806d4687349f19bcb31936d

SHA512
f93044a051526299c7b2e016a6a393fee0bf837346371e1eb14c375c2a02d02b5a6a8db36bf0ab27525c6e00c7e96f0ac828a6825b3fec46914aa06d769102e9

Download Submit
memory/1040-29-0x0000000001DA0000-0x0000000001DA2000-memory.dmp

Filesize
8KB

Download
memory/1556-198-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1556-199-0x0000000000A60000-0x0000000001B1A000-memory.dmp

Filesize
16.7MB

Download
memory/1556-162-0x0000000000A60000-0x0000000001B1A000-memory.dmp

Filesize
16.7MB

Download
memory/1556-99-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1556-102-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/1556-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2224-61-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-20-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-49-0x00000000016D0000-0x00000000016D2000-memory.dmp

Filesize
8KB

Download
memory/2224-48-0x00000000016D0000-0x00000000016D2000-memory.dmp

Filesize
8KB

Download
memory/2224-22-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2224-14-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-146-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-145-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2224-112-0x00000000016D0000-0x00000000016D2000-memory.dmp

Filesize
8KB

Download
memory/2224-109-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-108-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-18-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-16-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-23-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-15-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-21-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-106-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-62-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-63-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-64-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-65-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-103-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-46-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/2224-17-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-80-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-81-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-82-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2224-19-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2448-150-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2448-93-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2448-101-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2448-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2448-92-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2920-73-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/2920-56-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/2920-36-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2920-58-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2920-35-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/2920-59-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/2920-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2920-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2920-45-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2920-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2920-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads