sality | 2b36ed5591854c78ad24fd72ae32a06d730b34ec60a9559c98fb8af8ed69b8e1

Analysis

max time kernel
25s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b36ed5591854c78ad24fd72ae32a06d730b34ec60a9559c98fb8af8ed69b8e1_NeikiAnalytics.dll
Size

120KB
MD5

f63adb8e3a7940e91f9f02fccac58630
SHA1

c7dc50add0c0fcf906e5a720615740eb8080e497
SHA256

2b36ed5591854c78ad24fd72ae32a06d730b34ec60a9559c98fb8af8ed69b8e1
SHA512

e8715770167a82a17124b53a4f803aa8605a12c12f6780b67b8e20e53a136e3ce13f5b3460f51a2c52414db6727f84501174e4bc70e44ecfdcd69c840a33691a
SSDEEP

1536:3OWKOYJHkgxuMUO7p3Ib8ggO9uahkYedNistxU52Zm98jKsYZB39gD60:3OWEHkO37Kb3/oYedN652oL79

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f761729.exef7632f2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f761729.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f761729.exef7632f2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7632f2.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f761729.exef7632f2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7632f2.exe

Executes dropped EXE 3 IoCs

Processes:

f761729.exef76197a.exef7632f2.exe

pid process

2224 f761729.exe
2392 f76197a.exe
1348 f7632f2.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2920 rundll32.exe
2920 rundll32.exe
2920 rundll32.exe
2920 rundll32.exe
2920 rundll32.exe
2920 rundll32.exe

pid	process
2224	f761729.exe
2392	f76197a.exe
1348	f7632f2.exe

pid	process
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2224-15-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-17-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-14-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-21-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-16-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-22-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-19-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-20-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-18-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-12-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-63-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-64-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-65-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-66-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-67-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-69-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-70-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-86-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-88-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-90-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-91-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-109-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/2224-154-0x00000000006D0000-0x000000000178A000-memory.dmp	upx
behavioral1/memory/1348-174-0x0000000000970000-0x0000000001A2A000-memory.dmp	upx
behavioral1/memory/1348-206-0x0000000000970000-0x0000000001A2A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f761729.exef7632f2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7632f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f761729.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f7632f2.exef761729.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7632f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761729.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f761729.exef7632f2.exe

description	ioc	process
File opened (read-only)	\??\S:	f761729.exe
File opened (read-only)	\??\I:	f761729.exe
File opened (read-only)	\??\M:	f761729.exe
File opened (read-only)	\??\O:	f761729.exe
File opened (read-only)	\??\P:	f761729.exe
File opened (read-only)	\??\J:	f761729.exe
File opened (read-only)	\??\L:	f761729.exe
File opened (read-only)	\??\N:	f761729.exe
File opened (read-only)	\??\Q:	f761729.exe
File opened (read-only)	\??\R:	f761729.exe
File opened (read-only)	\??\E:	f7632f2.exe
File opened (read-only)	\??\H:	f761729.exe
File opened (read-only)	\??\K:	f761729.exe
File opened (read-only)	\??\E:	f761729.exe
File opened (read-only)	\??\G:	f761729.exe

Drops file in Windows directory 3 IoCs

Processes:

f761729.exef7632f2.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI f761729.exe
File created C:\Windows\f766835 f7632f2.exe
File created C:\Windows\f761786 f761729.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f761729.exef7632f2.exe

pid process

2224 f761729.exe
2224 f761729.exe
1348 f7632f2.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	f761729.exe
File created	C:\Windows\f766835	f7632f2.exe
File created	C:\Windows\f761786	f761729.exe

pid	process
2224	f761729.exe
2224	f761729.exe
1348	f7632f2.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f761729.exef7632f2.exe

description	pid	process
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	2224	f761729.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe
Token: SeDebugPrivilege	1348	f7632f2.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef761729.exef7632f2.exe

description	pid	process	target process
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2920	2860	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2224	2920	rundll32.exe	f761729.exe
PID 2920 wrote to memory of 2224	2920	rundll32.exe	f761729.exe
PID 2920 wrote to memory of 2224	2920	rundll32.exe	f761729.exe
PID 2920 wrote to memory of 2224	2920	rundll32.exe	f761729.exe
PID 2224 wrote to memory of 1040	2224	f761729.exe	Dwm.exe
PID 2224 wrote to memory of 1056	2224	f761729.exe	taskhost.exe
PID 2224 wrote to memory of 1100	2224	f761729.exe	Explorer.EXE
PID 2224 wrote to memory of 2308	2224	f761729.exe	DllHost.exe
PID 2224 wrote to memory of 2860	2224	f761729.exe	rundll32.exe
PID 2224 wrote to memory of 2920	2224	f761729.exe	rundll32.exe
PID 2224 wrote to memory of 2920	2224	f761729.exe	rundll32.exe
PID 2920 wrote to memory of 2392	2920	rundll32.exe	f76197a.exe
PID 2920 wrote to memory of 2392	2920	rundll32.exe	f76197a.exe
PID 2920 wrote to memory of 2392	2920	rundll32.exe	f76197a.exe
PID 2920 wrote to memory of 2392	2920	rundll32.exe	f76197a.exe
PID 2920 wrote to memory of 1348	2920	rundll32.exe	f7632f2.exe
PID 2920 wrote to memory of 1348	2920	rundll32.exe	f7632f2.exe
PID 2920 wrote to memory of 1348	2920	rundll32.exe	f7632f2.exe
PID 2920 wrote to memory of 1348	2920	rundll32.exe	f7632f2.exe
PID 2224 wrote to memory of 1040	2224	f761729.exe	Dwm.exe
PID 2224 wrote to memory of 1056	2224	f761729.exe	taskhost.exe
PID 2224 wrote to memory of 1100	2224	f761729.exe	Explorer.EXE
PID 2224 wrote to memory of 2392	2224	f761729.exe	f76197a.exe
PID 2224 wrote to memory of 2392	2224	f761729.exe	f76197a.exe
PID 2224 wrote to memory of 1348	2224	f761729.exe	f7632f2.exe
PID 2224 wrote to memory of 1348	2224	f761729.exe	f7632f2.exe
PID 1348 wrote to memory of 1040	1348	f7632f2.exe	Dwm.exe
PID 1348 wrote to memory of 1056	1348	f7632f2.exe	taskhost.exe
PID 1348 wrote to memory of 1100	1348	f7632f2.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f761729.exef7632f2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7632f2.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1040

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1056

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b36ed5591854c78ad24fd72ae32a06d730b34ec60a9559c98fb8af8ed69b8e1_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b36ed5591854c78ad24fd72ae32a06d730b34ec60a9559c98fb8af8ed69b8e1_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\f761729.exe
C:\Users\Admin\AppData\Local\Temp\f761729.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2224

C:\Users\Admin\AppData\Local\Temp\f76197a.exe
C:\Users\Admin\AppData\Local\Temp\f76197a.exe
4⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Local\Temp\f7632f2.exe
C:\Users\Admin\AppData\Local\Temp\f7632f2.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2308

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
c7524f05873df0017c71c95b6207461b

SHA1
26c5893700008cc55ebf459492a1bef3010a3767

SHA256
4df6c2ebfbe5bf24432e3f143229afcd06bebbeeedc1adb4fdb5ca06e9e341df

SHA512
c035cc40438a9133694712f97c073b385acbf3c241482e4cd74f856144f1b83921a80c914bbb62a9f5de8ac817773b467a9d96d9cf59d9a098ba34839ccf8ffe

Download Submit
\Users\Admin\AppData\Local\Temp\f761729.exe
Filesize
97KB

MD5
8a5af57da92abb04e1eaab9146be009d

SHA1
66dcaf57f81ce90bfca31f2307b6b303981b7d63

SHA256
17f059416eb3d9252455c0074ec0923e2e0e18441bd078bbcab9dd09c0959199

SHA512
b5fabae7f611da904cefcdadd5bc74fd283c1fe43808becc8d9da60c6409108ffc3acbc6d51cbea2a0446e0f9e50a6c97c9df7dd7c00c3e1c009a0282606f90e

Download Submit
memory/1040-28-0x0000000001DA0000-0x0000000001DA2000-memory.dmp

Filesize
8KB

Download
memory/1348-206-0x0000000000970000-0x0000000001A2A000-memory.dmp

Filesize
16.7MB

Download
memory/1348-207-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-174-0x0000000000970000-0x0000000001A2A000-memory.dmp

Filesize
16.7MB

Download
memory/1348-107-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1348-104-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1348-105-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1348-85-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2224-21-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-12-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-51-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/2224-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2224-14-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-154-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-16-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-22-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-47-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2224-15-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-155-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2224-126-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/2224-19-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-20-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-18-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-90-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-63-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-64-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-65-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-66-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-67-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-69-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-70-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-109-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-17-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-50-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/2224-91-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-86-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2224-88-0x00000000006D0000-0x000000000178A000-memory.dmp

Filesize
16.7MB

Download
memory/2392-99-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2392-106-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2392-100-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2392-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2392-159-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2920-60-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2920-83-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/2920-58-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2920-61-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2920-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2920-37-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2920-82-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/2920-38-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2920-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2920-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2920-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2920-48-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads