sality | b064e4d47eaf54123cedd70576c480f26e50676552d611f381184f87d31ac3ee

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b064e4d47eaf54123cedd70576c480f26e50676552d611f381184f87d31ac3ee_NeikiAnalytics.dll
Size

120KB
MD5

959f6e3872de1c2c46cb5ab255d9e230
SHA1

281ddb475e97ecc9b6ea55130f598ada6861a50c
SHA256

b064e4d47eaf54123cedd70576c480f26e50676552d611f381184f87d31ac3ee
SHA512

6856d6d867a1f35ae8c48835d220d9228ff26607e32666f8d03507ce4aebdb6003d54aa10629b41fabf5d5786b66b3b20d42d921f544f322a5839680252f11ac
SSDEEP

3072:xobMMkfLUJeCuP1bh4OAbkFd2+FO85lKpwvxbQqUiz:mIpfLBbhHAb8Z7aCvZ1Ui

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f761b7c.exef7636c9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7636c9.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f761b7c.exef7636c9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7636c9.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f761b7c.exef7636c9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7636c9.exe

Executes dropped EXE 3 IoCs

Processes:

f761b7c.exef761f15.exef7636c9.exe

pid process

1828 f761b7c.exe
2728 f761f15.exe
2504 f7636c9.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

880 rundll32.exe
880 rundll32.exe
880 rundll32.exe
880 rundll32.exe
880 rundll32.exe
880 rundll32.exe

pid	process
1828	f761b7c.exe
2728	f761f15.exe
2504	f7636c9.exe

pid	process
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1828-14-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-17-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-21-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-16-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-23-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-22-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-20-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-19-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-18-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-15-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-60-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-61-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-62-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-63-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-64-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-66-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-79-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-80-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-82-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-84-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-104-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/1828-145-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2504-161-0x0000000000970000-0x0000000001A2A000-memory.dmp	upx
behavioral1/memory/2504-198-0x0000000000970000-0x0000000001A2A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f761b7c.exef7636c9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761b7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7636c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7636c9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7636c9.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f761b7c.exef7636c9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7636c9.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7636c9.exef761b7c.exe

description	ioc	process
File opened (read-only)	\??\E:	f7636c9.exe
File opened (read-only)	\??\E:	f761b7c.exe
File opened (read-only)	\??\H:	f761b7c.exe
File opened (read-only)	\??\J:	f761b7c.exe
File opened (read-only)	\??\K:	f761b7c.exe
File opened (read-only)	\??\M:	f761b7c.exe
File opened (read-only)	\??\N:	f761b7c.exe
File opened (read-only)	\??\Q:	f761b7c.exe
File opened (read-only)	\??\G:	f761b7c.exe
File opened (read-only)	\??\L:	f761b7c.exe
File opened (read-only)	\??\P:	f761b7c.exe
File opened (read-only)	\??\R:	f761b7c.exe
File opened (read-only)	\??\I:	f761b7c.exe
File opened (read-only)	\??\O:	f761b7c.exe

Drops file in Windows directory 3 IoCs

Processes:

f761b7c.exef7636c9.exe

description ioc process

File created C:\Windows\f761bea f761b7c.exe
File opened for modification C:\Windows\SYSTEM.INI f761b7c.exe
File created C:\Windows\f766e6c f7636c9.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f761b7c.exef7636c9.exe

pid process

1828 f761b7c.exe
1828 f761b7c.exe
2504 f7636c9.exe

description	ioc	process
File created	C:\Windows\f761bea	f761b7c.exe
File opened for modification	C:\Windows\SYSTEM.INI	f761b7c.exe
File created	C:\Windows\f766e6c	f7636c9.exe

pid	process
1828	f761b7c.exe
1828	f761b7c.exe
2504	f7636c9.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f761b7c.exef7636c9.exe

description	pid	process
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	1828	f761b7c.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe
Token: SeDebugPrivilege	2504	f7636c9.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef761b7c.exef7636c9.exe

description	pid	process	target process
PID 1032 wrote to memory of 880	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 880	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 880	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 880	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 880	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 880	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 880	1032	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 1828	880	rundll32.exe	f761b7c.exe
PID 880 wrote to memory of 1828	880	rundll32.exe	f761b7c.exe
PID 880 wrote to memory of 1828	880	rundll32.exe	f761b7c.exe
PID 880 wrote to memory of 1828	880	rundll32.exe	f761b7c.exe
PID 1828 wrote to memory of 1092	1828	f761b7c.exe	taskhost.exe
PID 1828 wrote to memory of 1172	1828	f761b7c.exe	Dwm.exe
PID 1828 wrote to memory of 1196	1828	f761b7c.exe	Explorer.EXE
PID 1828 wrote to memory of 1636	1828	f761b7c.exe	DllHost.exe
PID 1828 wrote to memory of 1032	1828	f761b7c.exe	rundll32.exe
PID 1828 wrote to memory of 880	1828	f761b7c.exe	rundll32.exe
PID 1828 wrote to memory of 880	1828	f761b7c.exe	rundll32.exe
PID 880 wrote to memory of 2728	880	rundll32.exe	f761f15.exe
PID 880 wrote to memory of 2728	880	rundll32.exe	f761f15.exe
PID 880 wrote to memory of 2728	880	rundll32.exe	f761f15.exe
PID 880 wrote to memory of 2728	880	rundll32.exe	f761f15.exe
PID 880 wrote to memory of 2504	880	rundll32.exe	f7636c9.exe
PID 880 wrote to memory of 2504	880	rundll32.exe	f7636c9.exe
PID 880 wrote to memory of 2504	880	rundll32.exe	f7636c9.exe
PID 880 wrote to memory of 2504	880	rundll32.exe	f7636c9.exe
PID 1828 wrote to memory of 1092	1828	f761b7c.exe	taskhost.exe
PID 1828 wrote to memory of 1172	1828	f761b7c.exe	Dwm.exe
PID 1828 wrote to memory of 1196	1828	f761b7c.exe	Explorer.EXE
PID 1828 wrote to memory of 2728	1828	f761b7c.exe	f761f15.exe
PID 1828 wrote to memory of 2728	1828	f761b7c.exe	f761f15.exe
PID 1828 wrote to memory of 2504	1828	f761b7c.exe	f7636c9.exe
PID 1828 wrote to memory of 2504	1828	f761b7c.exe	f7636c9.exe
PID 2504 wrote to memory of 1092	2504	f7636c9.exe	taskhost.exe
PID 2504 wrote to memory of 1172	2504	f7636c9.exe	Dwm.exe
PID 2504 wrote to memory of 1196	2504	f7636c9.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f761b7c.exef7636c9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7636c9.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1092

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b064e4d47eaf54123cedd70576c480f26e50676552d611f381184f87d31ac3ee_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b064e4d47eaf54123cedd70576c480f26e50676552d611f381184f87d31ac3ee_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\f761b7c.exe
C:\Users\Admin\AppData\Local\Temp\f761b7c.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1828

C:\Users\Admin\AppData\Local\Temp\f761f15.exe
C:\Users\Admin\AppData\Local\Temp\f761f15.exe
4⤵
- Executes dropped EXE
PID:2728

C:\Users\Admin\AppData\Local\Temp\f7636c9.exe
C:\Users\Admin\AppData\Local\Temp\f7636c9.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2504

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1636

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
6fc07cde3f6ea2140353988fe38a7c58

SHA1
e39a77904c0c480a0ce6869bf4fd3ebfd2bf5a17

SHA256
87c141f1bb4349edb729eb7ae863d5a65111ec108b239d186a5e2f1df7303229

SHA512
47e30301af63a54d426700811ccb9ed00e20bdd4f9efa8a8c0a0760579808799106bc6be477c11f79235acc490b7b2ec5af95b4fe7b7f1264c0cb0aa863aea4f

Download Submit
\Users\Admin\AppData\Local\Temp\f761b7c.exe
Filesize
97KB

MD5
193e053a835a698d78894dc256459b59

SHA1
33cfff226050220b3fdaee30a4e7ef0cfeae4d38

SHA256
5ac9110bce19897027dc3c8a2bd17de961ebc5b4668bd86b5ccdb253deeb6b50

SHA512
b934dac8a366b7868101ef9416f9a75f89da7e7c06f73069f15369d1b060b0c7148e345710827556e6bd629ff66ee60e29acf3b01117fb16cbe2b20a7e4ca6f7

Download Submit
memory/880-33-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/880-8-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/880-35-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/880-34-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/880-52-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/880-9-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/880-74-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/880-77-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/880-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/880-49-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/880-51-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/1092-25-0x0000000000410000-0x0000000000412000-memory.dmp

Filesize
8KB

Download
memory/1828-60-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-14-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-19-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-18-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-15-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-41-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/1828-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1828-22-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-23-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-16-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-55-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/1828-59-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/1828-21-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-61-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-62-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-63-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-64-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-66-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-17-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-20-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-79-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-80-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-82-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-84-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-145-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1828-144-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1828-104-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/2504-103-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2504-102-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2504-105-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2504-161-0x0000000000970000-0x0000000001A2A000-memory.dmp

Filesize
16.7MB

Download
memory/2504-197-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2504-198-0x0000000000970000-0x0000000001A2A000-memory.dmp

Filesize
16.7MB

Download
memory/2728-95-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2728-96-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2728-92-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2728-149-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads