sality | 9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f_NeikiAnalytics.dll
Size

120KB
MD5

476a6bbf4d9465f3c2fdfe0d52b51480
SHA1

3aeca15e298d759372523d9c0d9f0e8d073c7d67
SHA256

9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f
SHA512

de74bbca03b47d6c682935884b5f3945aac2446845ef882f07fe4b622468197f56e15ac24df358ae0f699c896060c2862c969e88865b6e66df464cbf1a05dbec
SSDEEP

3072:oVZ190+IOH2g33Ov/6yZrza2UZHn6DiX478nY/aIC:0ZxVW0OayZrza2yHDX473SIC

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f760cbd.exef762887.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f762887.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f762887.exef760cbd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760cbd.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f762887.exef760cbd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760cbd.exe

Executes dropped EXE 3 IoCs

Processes:

f760cbd.exef760e24.exef762887.exe

pid process

2440 f760cbd.exe
2588 f760e24.exe
2784 f762887.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2324 rundll32.exe
2324 rundll32.exe
2324 rundll32.exe
2324 rundll32.exe
2324 rundll32.exe
2324 rundll32.exe

pid	process
2440	f760cbd.exe
2588	f760e24.exe
2784	f762887.exe

pid	process
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2440-16-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-17-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-13-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-20-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-22-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-21-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-23-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-19-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-15-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-18-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-64-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-65-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-66-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-68-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-67-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-70-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-71-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-84-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-86-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-88-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-106-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-107-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-124-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2440-155-0x0000000000650000-0x000000000170A000-memory.dmp	upx
behavioral1/memory/2784-173-0x00000000009A0000-0x0000000001A5A000-memory.dmp	upx
behavioral1/memory/2784-209-0x00000000009A0000-0x0000000001A5A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f762887.exef760cbd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762887.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760cbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762887.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f762887.exef760cbd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760cbd.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f760cbd.exef762887.exe

description	ioc	process
File opened (read-only)	\??\I:	f760cbd.exe
File opened (read-only)	\??\J:	f760cbd.exe
File opened (read-only)	\??\R:	f760cbd.exe
File opened (read-only)	\??\S:	f760cbd.exe
File opened (read-only)	\??\T:	f760cbd.exe
File opened (read-only)	\??\O:	f760cbd.exe
File opened (read-only)	\??\E:	f760cbd.exe
File opened (read-only)	\??\M:	f760cbd.exe
File opened (read-only)	\??\N:	f760cbd.exe
File opened (read-only)	\??\G:	f760cbd.exe
File opened (read-only)	\??\H:	f760cbd.exe
File opened (read-only)	\??\K:	f760cbd.exe
File opened (read-only)	\??\L:	f760cbd.exe
File opened (read-only)	\??\P:	f760cbd.exe
File opened (read-only)	\??\Q:	f760cbd.exe
File opened (read-only)	\??\E:	f762887.exe
File opened (read-only)	\??\G:	f762887.exe

Drops file in Windows directory 3 IoCs

Processes:

f760cbd.exef762887.exe

description ioc process

File created C:\Windows\f760d2a f760cbd.exe
File opened for modification C:\Windows\SYSTEM.INI f760cbd.exe
File created C:\Windows\f765d1e f762887.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f760cbd.exef762887.exe

pid process

2440 f760cbd.exe
2440 f760cbd.exe
2784 f762887.exe

description	ioc	process
File created	C:\Windows\f760d2a	f760cbd.exe
File opened for modification	C:\Windows\SYSTEM.INI	f760cbd.exe
File created	C:\Windows\f765d1e	f762887.exe

pid	process
2440	f760cbd.exe
2440	f760cbd.exe
2784	f762887.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f760cbd.exef762887.exe

description	pid	process
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2440	f760cbd.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe
Token: SeDebugPrivilege	2784	f762887.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef760cbd.exef762887.exe

description	pid	process	target process
PID 1752 wrote to memory of 2324	1752	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 2324	1752	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 2324	1752	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 2324	1752	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 2324	1752	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 2324	1752	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 2324	1752	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2440	2324	rundll32.exe	f760cbd.exe
PID 2324 wrote to memory of 2440	2324	rundll32.exe	f760cbd.exe
PID 2324 wrote to memory of 2440	2324	rundll32.exe	f760cbd.exe
PID 2324 wrote to memory of 2440	2324	rundll32.exe	f760cbd.exe
PID 2440 wrote to memory of 1112	2440	f760cbd.exe	taskhost.exe
PID 2440 wrote to memory of 1172	2440	f760cbd.exe	Dwm.exe
PID 2440 wrote to memory of 1212	2440	f760cbd.exe	Explorer.EXE
PID 2440 wrote to memory of 1760	2440	f760cbd.exe	DllHost.exe
PID 2440 wrote to memory of 1752	2440	f760cbd.exe	rundll32.exe
PID 2440 wrote to memory of 2324	2440	f760cbd.exe	rundll32.exe
PID 2440 wrote to memory of 2324	2440	f760cbd.exe	rundll32.exe
PID 2324 wrote to memory of 2588	2324	rundll32.exe	f760e24.exe
PID 2324 wrote to memory of 2588	2324	rundll32.exe	f760e24.exe
PID 2324 wrote to memory of 2588	2324	rundll32.exe	f760e24.exe
PID 2324 wrote to memory of 2588	2324	rundll32.exe	f760e24.exe
PID 2324 wrote to memory of 2784	2324	rundll32.exe	f762887.exe
PID 2324 wrote to memory of 2784	2324	rundll32.exe	f762887.exe
PID 2324 wrote to memory of 2784	2324	rundll32.exe	f762887.exe
PID 2324 wrote to memory of 2784	2324	rundll32.exe	f762887.exe
PID 2440 wrote to memory of 1112	2440	f760cbd.exe	taskhost.exe
PID 2440 wrote to memory of 1172	2440	f760cbd.exe	Dwm.exe
PID 2440 wrote to memory of 1212	2440	f760cbd.exe	Explorer.EXE
PID 2440 wrote to memory of 2588	2440	f760cbd.exe	f760e24.exe
PID 2440 wrote to memory of 2588	2440	f760cbd.exe	f760e24.exe
PID 2440 wrote to memory of 2784	2440	f760cbd.exe	f762887.exe
PID 2440 wrote to memory of 2784	2440	f760cbd.exe	f762887.exe
PID 2784 wrote to memory of 1112	2784	f762887.exe	taskhost.exe
PID 2784 wrote to memory of 1172	2784	f762887.exe	Dwm.exe
PID 2784 wrote to memory of 1212	2784	f762887.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f760cbd.exef762887.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760cbd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762887.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\f760cbd.exe
C:\Users\Admin\AppData\Local\Temp\f760cbd.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440

C:\Users\Admin\AppData\Local\Temp\f760e24.exe
C:\Users\Admin\AppData\Local\Temp\f760e24.exe
4⤵
- Executes dropped EXE
PID:2588

C:\Users\Admin\AppData\Local\Temp\f762887.exe
C:\Users\Admin\AppData\Local\Temp\f762887.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2784

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1760

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
a9a40981f4a364c29303bad6babb103a

SHA1
73d09b3ebced3b6daa8333bf37ebe136d694930f

SHA256
9fb19e21a9b8df2db8ae29156d999dd401ff0dc98b4817df4cd5f11020278850

SHA512
cb15185107e7753b54bfda48e2abc112fd1c51b81f4462bdca09bc36b6a879df010d0d3bab83808ef893b2b0acc908407f55da286b8fc43d12b7edb6562314b8

Download Submit
\Users\Admin\AppData\Local\Temp\f760cbd.exe
Filesize
97KB

MD5
307254b37ae8773f73d99cd7088f4e67

SHA1
9e68a38997844955f633a4911989e8c78230dc23

SHA256
9f7abe051385dccd85630c219bea138746e1967a50bc16a105e5aa86796cef49

SHA512
aad426f9011e74d4a2d075eb9059fde1510dbccec570228569d5a87e0427be0174cb6a5f96cc0f0334b3162fa3d2cfdd2ef27951ec1250a9ab89983f59fd85bc

Download Submit
memory/1112-29-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2324-39-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2324-11-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2324-48-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2324-10-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2324-38-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2324-2-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2324-80-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2324-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2324-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2324-61-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2324-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2440-18-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-16-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-23-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-51-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/2440-49-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2440-19-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2440-22-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-20-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-60-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/2440-13-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-15-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-17-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-64-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-65-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-66-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-68-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-67-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-70-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-71-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-154-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2440-21-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-84-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-86-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-88-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-155-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-124-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-107-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2440-106-0x0000000000650000-0x000000000170A000-memory.dmp

Filesize
16.7MB

Download
memory/2588-97-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2588-96-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2588-104-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2588-159-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2588-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-103-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2784-102-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2784-105-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2784-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-173-0x00000000009A0000-0x0000000001A5A000-memory.dmp

Filesize
16.7MB

Download
memory/2784-210-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-209-0x00000000009A0000-0x0000000001A5A000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads