sality | 900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll
Size

120KB
MD5

06d552d79c8c49d814b9d37d609f2e30
SHA1

80ea275aae6173d90f695b759aacc5220c2e44d6
SHA256

900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9
SHA512

e65bf51e2c9fc016cfdc399fdbd46233629e2830cffdfd449eb02999e157b790105ff94cb4fece48ba6ed9d16c90830acc64e794dc86a1b74682cd6b679d52dc
SSDEEP

1536:VCn+rJBiAiu+UZ0oKPJ+/p+My7IoYAvJHEmB+BFCbnM+PdW/IoyZ6aRHs6PpXl84:VSAPPKPJM8My9REibnM+P4IpMwpXmb

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f76255c.exef760992.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f760992.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f760992.exef76255c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76255c.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f760992.exef76255c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76255c.exe

Executes dropped EXE 3 IoCs

Processes:

f760992.exef760b08.exef76255c.exe

pid process

2620 f760992.exe
2448 f760b08.exe
1132 f76255c.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

1900 rundll32.exe
1900 rundll32.exe
1900 rundll32.exe
1900 rundll32.exe
1900 rundll32.exe
1900 rundll32.exe

pid	process
2620	f760992.exe
2448	f760b08.exe
1132	f76255c.exe

pid	process
1900	rundll32.exe
1900	rundll32.exe
1900	rundll32.exe
1900	rundll32.exe
1900	rundll32.exe
1900	rundll32.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2620-14-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-16-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-18-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-23-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-22-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-19-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-17-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-20-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-21-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-15-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-64-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-65-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-66-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-68-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-67-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-70-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-71-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-85-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-87-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-89-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-124-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2620-159-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1132-180-0x0000000000910000-0x00000000019CA000-memory.dmp	upx
behavioral1/memory/1132-214-0x0000000000910000-0x00000000019CA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76255c.exef760992.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76255c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76255c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f76255c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76255c.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f760992.exef76255c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76255c.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f760992.exef76255c.exe

description	ioc	process
File opened (read-only)	\??\P:	f760992.exe
File opened (read-only)	\??\R:	f760992.exe
File opened (read-only)	\??\E:	f76255c.exe
File opened (read-only)	\??\G:	f760992.exe
File opened (read-only)	\??\M:	f760992.exe
File opened (read-only)	\??\N:	f760992.exe
File opened (read-only)	\??\Q:	f760992.exe
File opened (read-only)	\??\H:	f760992.exe
File opened (read-only)	\??\O:	f760992.exe
File opened (read-only)	\??\S:	f760992.exe
File opened (read-only)	\??\T:	f760992.exe
File opened (read-only)	\??\G:	f76255c.exe
File opened (read-only)	\??\J:	f760992.exe
File opened (read-only)	\??\I:	f760992.exe
File opened (read-only)	\??\K:	f760992.exe
File opened (read-only)	\??\L:	f760992.exe
File opened (read-only)	\??\E:	f760992.exe

Drops file in Windows directory 3 IoCs

Processes:

f760992.exef76255c.exe

description ioc process

File created C:\Windows\f7609f0 f760992.exe
File opened for modification C:\Windows\SYSTEM.INI f760992.exe
File created C:\Windows\f7659f2 f76255c.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f760992.exef76255c.exe

pid process

2620 f760992.exe
2620 f760992.exe
1132 f76255c.exe

description	ioc	process
File created	C:\Windows\f7609f0	f760992.exe
File opened for modification	C:\Windows\SYSTEM.INI	f760992.exe
File created	C:\Windows\f7659f2	f76255c.exe

pid	process
2620	f760992.exe
2620	f760992.exe
1132	f76255c.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f760992.exef76255c.exe

description	pid	process
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	2620	f760992.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe
Token: SeDebugPrivilege	1132	f76255c.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef760992.exef76255c.exe

description	pid	process	target process
PID 1616 wrote to memory of 1900	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 1900	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 1900	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 1900	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 1900	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 1900	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 1900	1616	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 2620	1900	rundll32.exe	f760992.exe
PID 1900 wrote to memory of 2620	1900	rundll32.exe	f760992.exe
PID 1900 wrote to memory of 2620	1900	rundll32.exe	f760992.exe
PID 1900 wrote to memory of 2620	1900	rundll32.exe	f760992.exe
PID 2620 wrote to memory of 1064	2620	f760992.exe	taskhost.exe
PID 2620 wrote to memory of 1144	2620	f760992.exe	Dwm.exe
PID 2620 wrote to memory of 1168	2620	f760992.exe	Explorer.EXE
PID 2620 wrote to memory of 2356	2620	f760992.exe	DllHost.exe
PID 2620 wrote to memory of 1616	2620	f760992.exe	rundll32.exe
PID 2620 wrote to memory of 1900	2620	f760992.exe	rundll32.exe
PID 2620 wrote to memory of 1900	2620	f760992.exe	rundll32.exe
PID 1900 wrote to memory of 2448	1900	rundll32.exe	f760b08.exe
PID 1900 wrote to memory of 2448	1900	rundll32.exe	f760b08.exe
PID 1900 wrote to memory of 2448	1900	rundll32.exe	f760b08.exe
PID 1900 wrote to memory of 2448	1900	rundll32.exe	f760b08.exe
PID 1900 wrote to memory of 1132	1900	rundll32.exe	f76255c.exe
PID 1900 wrote to memory of 1132	1900	rundll32.exe	f76255c.exe
PID 1900 wrote to memory of 1132	1900	rundll32.exe	f76255c.exe
PID 1900 wrote to memory of 1132	1900	rundll32.exe	f76255c.exe
PID 2620 wrote to memory of 1064	2620	f760992.exe	taskhost.exe
PID 2620 wrote to memory of 1144	2620	f760992.exe	Dwm.exe
PID 2620 wrote to memory of 1168	2620	f760992.exe	Explorer.EXE
PID 2620 wrote to memory of 2448	2620	f760992.exe	f760b08.exe
PID 2620 wrote to memory of 2448	2620	f760992.exe	f760b08.exe
PID 2620 wrote to memory of 1132	2620	f760992.exe	f76255c.exe
PID 2620 wrote to memory of 1132	2620	f760992.exe	f76255c.exe
PID 1132 wrote to memory of 1064	1132	f76255c.exe	taskhost.exe
PID 1132 wrote to memory of 1144	1132	f76255c.exe	Dwm.exe
PID 1132 wrote to memory of 1168	1132	f76255c.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f760992.exef76255c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76255c.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1064

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1144

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1168

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\f760992.exe
C:\Users\Admin\AppData\Local\Temp\f760992.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2620

C:\Users\Admin\AppData\Local\Temp\f760b08.exe
C:\Users\Admin\AppData\Local\Temp\f760b08.exe
4⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Temp\f76255c.exe
C:\Users\Admin\AppData\Local\Temp\f76255c.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2356

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
8279af248311f6fe30846be9eecd380c

SHA1
8a28f4f05daf1ebb1f870b8c76e0cff668e1418a

SHA256
b155f06f3373e58fec384d7c7e7110867f09b1e1bd380279aa90c8f786669c34

SHA512
498b4aa47e73df588fa97cc985dfadee89eb6d544096c4a5fffdfecbd78a04bd3785bbbc67cfb25a538a0ab28a4e3985a631ab7155c1ba7b7c4ffcff674e046a

Download Submit
\Users\Admin\AppData\Local\Temp\f760992.exe
Filesize
97KB

MD5
e073d86fde40b6f3b71fc3386fed72cb

SHA1
9757aec5768c457ecf5adba97f9d3b172521a23b

SHA256
38b8f22c36a6570d995325da15e35bc241ea5e3fa2bab7435fb5ea7a72b8a8b0

SHA512
94ddf415933ce6fa1387954e150e22731eafb0f6b263ddfede1d31f4b3186b643d2344eba3b4c07cb1913a2d200dfc34a5114290f461948b534074ce57f10988

Download Submit
memory/1064-29-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1132-180-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/1132-105-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/1132-214-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/1132-84-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1132-213-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1132-109-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/1132-107-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1900-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1900-79-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/1900-61-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download
memory/1900-10-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/1900-48-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1900-58-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/1900-39-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1900-38-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/1900-9-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/1900-82-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/1900-62-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/2448-99-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2448-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2448-108-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2448-100-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2448-163-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2620-49-0x0000000001620000-0x0000000001621000-memory.dmp

Filesize
4KB

Download
memory/2620-60-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2620-66-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-68-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-67-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-70-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-71-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-64-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-15-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-21-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-85-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-87-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-89-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-65-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-20-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-51-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2620-17-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-19-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-22-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-124-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-156-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2620-159-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-158-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2620-23-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-18-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-16-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-14-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2620-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads