sality | b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll
Size

120KB
MD5

4f6a318372a7efc3a8011ba01e62ce50
SHA1

b30a09f9a9a57ada1c293b54b54dd8ba14945749
SHA256

b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d
SHA512

403403bd4c328cf932fd81efaaa5e3d8c3eeeaa267a2928475c031a8d2c8b182e4dd343ef5e1fa8deca25a81eb0a07d2bd768d002b2abf303bf9a3d1d53b6c8a
SSDEEP

3072:jos6XK3rgarAE3DJZ8vKZqSB/77XZkun2g:jolK7gNE3DMvK1XZ/2g

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f7625f8.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7641c1.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7625f8.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7641c1.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7625f8.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7641c1.exe

Executes dropped EXE 3 IoCs

Processes:

f7625f8.exef76278d.exef7641c1.exe

pid process

2488 f7625f8.exe
1668 f76278d.exe
2252 f7641c1.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2132 rundll32.exe
2132 rundll32.exe
2132 rundll32.exe
2132 rundll32.exe
2132 rundll32.exe
2132 rundll32.exe

pid	process
2488	f7625f8.exe
1668	f76278d.exe
2252	f7641c1.exe

pid	process
2132	rundll32.exe
2132	rundll32.exe
2132	rundll32.exe
2132	rundll32.exe
2132	rundll32.exe
2132	rundll32.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2488-18-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-23-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-17-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-19-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-15-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-14-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-16-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-21-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-20-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-22-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-63-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-62-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-64-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-65-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-66-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-68-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-69-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-83-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-85-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-86-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-106-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-109-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-120-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2488-150-0x0000000000620000-0x00000000016DA000-memory.dmp	upx
behavioral1/memory/2252-170-0x0000000000920000-0x00000000019DA000-memory.dmp	upx
behavioral1/memory/2252-205-0x0000000000920000-0x00000000019DA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7625f8.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7625f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7641c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7641c1.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f7625f8.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7641c1.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7625f8.exef7641c1.exe

description	ioc	process
File opened (read-only)	\??\K:	f7625f8.exe
File opened (read-only)	\??\R:	f7625f8.exe
File opened (read-only)	\??\J:	f7625f8.exe
File opened (read-only)	\??\L:	f7625f8.exe
File opened (read-only)	\??\M:	f7625f8.exe
File opened (read-only)	\??\O:	f7625f8.exe
File opened (read-only)	\??\G:	f7625f8.exe
File opened (read-only)	\??\T:	f7625f8.exe
File opened (read-only)	\??\E:	f7641c1.exe
File opened (read-only)	\??\S:	f7625f8.exe
File opened (read-only)	\??\G:	f7641c1.exe
File opened (read-only)	\??\E:	f7625f8.exe
File opened (read-only)	\??\H:	f7625f8.exe
File opened (read-only)	\??\I:	f7625f8.exe
File opened (read-only)	\??\N:	f7625f8.exe
File opened (read-only)	\??\P:	f7625f8.exe
File opened (read-only)	\??\Q:	f7625f8.exe

Drops file in Windows directory 3 IoCs

Processes:

f7625f8.exef7641c1.exe

description ioc process

File created C:\Windows\f762665 f7625f8.exe
File opened for modification C:\Windows\SYSTEM.INI f7625f8.exe
File created C:\Windows\f767677 f7641c1.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f7625f8.exef7641c1.exe

pid process

2488 f7625f8.exe
2488 f7625f8.exe
2252 f7641c1.exe

description	ioc	process
File created	C:\Windows\f762665	f7625f8.exe
File opened for modification	C:\Windows\SYSTEM.INI	f7625f8.exe
File created	C:\Windows\f767677	f7641c1.exe

pid	process
2488	f7625f8.exe
2488	f7625f8.exe
2252	f7641c1.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f7625f8.exef7641c1.exe

description	pid	process
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2488	f7625f8.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe
Token: SeDebugPrivilege	2252	f7641c1.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef7625f8.exef7641c1.exe

description	pid	process	target process
PID 2104 wrote to memory of 2132	2104	rundll32.exe	rundll32.exe
PID 2104 wrote to memory of 2132	2104	rundll32.exe	rundll32.exe
PID 2104 wrote to memory of 2132	2104	rundll32.exe	rundll32.exe
PID 2104 wrote to memory of 2132	2104	rundll32.exe	rundll32.exe
PID 2104 wrote to memory of 2132	2104	rundll32.exe	rundll32.exe
PID 2104 wrote to memory of 2132	2104	rundll32.exe	rundll32.exe
PID 2104 wrote to memory of 2132	2104	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 2488	2132	rundll32.exe	f7625f8.exe
PID 2132 wrote to memory of 2488	2132	rundll32.exe	f7625f8.exe
PID 2132 wrote to memory of 2488	2132	rundll32.exe	f7625f8.exe
PID 2132 wrote to memory of 2488	2132	rundll32.exe	f7625f8.exe
PID 2488 wrote to memory of 1120	2488	f7625f8.exe	taskhost.exe
PID 2488 wrote to memory of 1168	2488	f7625f8.exe	Dwm.exe
PID 2488 wrote to memory of 1204	2488	f7625f8.exe	Explorer.EXE
PID 2488 wrote to memory of 2228	2488	f7625f8.exe	DllHost.exe
PID 2488 wrote to memory of 2104	2488	f7625f8.exe	rundll32.exe
PID 2488 wrote to memory of 2132	2488	f7625f8.exe	rundll32.exe
PID 2488 wrote to memory of 2132	2488	f7625f8.exe	rundll32.exe
PID 2132 wrote to memory of 1668	2132	rundll32.exe	f76278d.exe
PID 2132 wrote to memory of 1668	2132	rundll32.exe	f76278d.exe
PID 2132 wrote to memory of 1668	2132	rundll32.exe	f76278d.exe
PID 2132 wrote to memory of 1668	2132	rundll32.exe	f76278d.exe
PID 2132 wrote to memory of 2252	2132	rundll32.exe	f7641c1.exe
PID 2132 wrote to memory of 2252	2132	rundll32.exe	f7641c1.exe
PID 2132 wrote to memory of 2252	2132	rundll32.exe	f7641c1.exe
PID 2132 wrote to memory of 2252	2132	rundll32.exe	f7641c1.exe
PID 2488 wrote to memory of 1120	2488	f7625f8.exe	taskhost.exe
PID 2488 wrote to memory of 1168	2488	f7625f8.exe	Dwm.exe
PID 2488 wrote to memory of 1204	2488	f7625f8.exe	Explorer.EXE
PID 2488 wrote to memory of 1668	2488	f7625f8.exe	f76278d.exe
PID 2488 wrote to memory of 1668	2488	f7625f8.exe	f76278d.exe
PID 2488 wrote to memory of 2252	2488	f7625f8.exe	f7641c1.exe
PID 2488 wrote to memory of 2252	2488	f7625f8.exe	f7641c1.exe
PID 2252 wrote to memory of 1120	2252	f7641c1.exe	taskhost.exe
PID 2252 wrote to memory of 1168	2252	f7641c1.exe	Dwm.exe
PID 2252 wrote to memory of 1204	2252	f7641c1.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f7625f8.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7625f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7641c1.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\f7625f8.exe
C:\Users\Admin\AppData\Local\Temp\f7625f8.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2488

C:\Users\Admin\AppData\Local\Temp\f76278d.exe
C:\Users\Admin\AppData\Local\Temp\f76278d.exe
4⤵
- Executes dropped EXE
PID:1668

C:\Users\Admin\AppData\Local\Temp\f7641c1.exe
C:\Users\Admin\AppData\Local\Temp\f7641c1.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2252

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2228

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f7625f8.exe
Filesize
97KB

MD5
f75dfaabcd6b714373ee7450d4cdf6ce

SHA1
09fd501fd05df80c6f58d178ffff84e76691f370

SHA256
4c6b9dd8d5e8a96ea20f9e924b357cb2c9f0bea9ae6246d7b90b4c6ade43ee69

SHA512
5844dfbbb405cf1a3c03146432d954b5585d24dcf940f16e85938ee957ae63de5bd6eb81ad92ac86ecfcae51862404b12d58ac0c79b411462893ec5126de484c

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
91e9e7a47c9f8d05954e83be726b9bb6

SHA1
b3044129c269fa5567aa0a7030c616c3940b82b7

SHA256
1fa2b84e5a04e4a7c5f30f0a669823f0f013d8ae1357ac79205d0ce5e4288a14

SHA512
e02b91673fd7082c63ae25432914c6640058755fc94f5dc280c1ced5462f41ca81ac45b281da18b85dc38f92337c2aa961e8d8048cdf93e257df7f8ba15f5bd3

Download Submit
memory/1120-29-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/1668-171-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1668-104-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1668-96-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1668-97-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1668-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2132-57-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2132-37-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2132-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2132-60-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2132-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2132-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2132-45-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2132-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2132-36-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2132-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2252-103-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2252-102-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2252-105-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2252-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2252-170-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/2252-205-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/2252-204-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2488-20-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-15-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-63-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-62-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-64-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-65-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-66-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-68-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-69-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-22-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-83-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-85-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-86-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-23-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-18-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-17-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-19-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-21-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-49-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2488-106-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-109-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-120-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-149-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2488-150-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-48-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2488-46-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/2488-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2488-16-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-14-0x0000000000620000-0x00000000016DA000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads