sality | 54dc2ed54bf0aa11e0ad1e3bd6907b78b8e15255c462758f148e03d34508da2a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54dc2ed54bf0aa11e0ad1e3bd6907b78b8e15255c462758f148e03d34508da2a.dll
Size

120KB
MD5

baa2dcd480a0adebf87f06340f11169d
SHA1

e5288e62a356b0f88d59e180dbcd8be36a033c33
SHA256

54dc2ed54bf0aa11e0ad1e3bd6907b78b8e15255c462758f148e03d34508da2a
SHA512

62780aec25412fd702c2e56788df133b27c0359226b6a323a6085458c5b393e4d4c6f3787220d2aac34b98b1b11c20875720555e46f9848c6a82b26f563e06e5
SSDEEP

3072:SiD0yNHqF9JtaWTWNmxs/CQd6FFtbpoYFTCzAvVXALfnDK:SmHCJsNDq3doYF+zcALfDK

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f76251d.exef7640d7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f76251d.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76251d.exef7640d7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7640d7.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7640d7.exef76251d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7640d7.exe

Executes dropped EXE 3 IoCs

Processes:

f76251d.exef7626a3.exef7640d7.exe

pid process

1820 f76251d.exe
2616 f7626a3.exe
1920 f7640d7.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2028 rundll32.exe
2028 rundll32.exe
2028 rundll32.exe
2028 rundll32.exe
2028 rundll32.exe
2028 rundll32.exe

pid	process
1820	f76251d.exe
2616	f7626a3.exe
1920	f7640d7.exe

pid	process
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1820-17-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-20-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-22-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-16-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-15-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-23-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-24-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-21-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-18-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-19-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-63-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-62-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-64-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-66-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-65-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-68-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-82-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-83-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-85-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-107-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-121-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1820-156-0x0000000000960000-0x0000000001A1A000-memory.dmp	upx
behavioral1/memory/1920-173-0x0000000000910000-0x00000000019CA000-memory.dmp	upx
behavioral1/memory/1920-211-0x0000000000910000-0x00000000019CA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76251d.exef7640d7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76251d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7640d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7640d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7640d7.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f76251d.exef7640d7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7640d7.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f76251d.exef7640d7.exe

description	ioc	process
File opened (read-only)	\??\Q:	f76251d.exe
File opened (read-only)	\??\L:	f76251d.exe
File opened (read-only)	\??\J:	f76251d.exe
File opened (read-only)	\??\M:	f76251d.exe
File opened (read-only)	\??\O:	f76251d.exe
File opened (read-only)	\??\P:	f76251d.exe
File opened (read-only)	\??\E:	f7640d7.exe
File opened (read-only)	\??\G:	f7640d7.exe
File opened (read-only)	\??\H:	f76251d.exe
File opened (read-only)	\??\N:	f76251d.exe
File opened (read-only)	\??\I:	f76251d.exe
File opened (read-only)	\??\G:	f76251d.exe
File opened (read-only)	\??\K:	f76251d.exe
File opened (read-only)	\??\R:	f76251d.exe
File opened (read-only)	\??\S:	f76251d.exe
File opened (read-only)	\??\E:	f76251d.exe

Drops file in Windows directory 3 IoCs

Processes:

f76251d.exef7640d7.exe

description ioc process

File created C:\Windows\f76257b f76251d.exe
File opened for modification C:\Windows\SYSTEM.INI f76251d.exe
File created C:\Windows\f7675ad f7640d7.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f76251d.exef7640d7.exe

pid process

1820 f76251d.exe
1820 f76251d.exe
1920 f7640d7.exe

description	ioc	process
File created	C:\Windows\f76257b	f76251d.exe
File opened for modification	C:\Windows\SYSTEM.INI	f76251d.exe
File created	C:\Windows\f7675ad	f7640d7.exe

pid	process
1820	f76251d.exe
1820	f76251d.exe
1920	f7640d7.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f76251d.exef7640d7.exe

description	pid	process
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1820	f76251d.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe
Token: SeDebugPrivilege	1920	f7640d7.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef76251d.exef7640d7.exe

description	pid	process	target process
PID 2080 wrote to memory of 2028	2080	rundll32.exe	rundll32.exe
PID 2080 wrote to memory of 2028	2080	rundll32.exe	rundll32.exe
PID 2080 wrote to memory of 2028	2080	rundll32.exe	rundll32.exe
PID 2080 wrote to memory of 2028	2080	rundll32.exe	rundll32.exe
PID 2080 wrote to memory of 2028	2080	rundll32.exe	rundll32.exe
PID 2080 wrote to memory of 2028	2080	rundll32.exe	rundll32.exe
PID 2080 wrote to memory of 2028	2080	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1820	2028	rundll32.exe	f76251d.exe
PID 2028 wrote to memory of 1820	2028	rundll32.exe	f76251d.exe
PID 2028 wrote to memory of 1820	2028	rundll32.exe	f76251d.exe
PID 2028 wrote to memory of 1820	2028	rundll32.exe	f76251d.exe
PID 1820 wrote to memory of 1120	1820	f76251d.exe	taskhost.exe
PID 1820 wrote to memory of 1184	1820	f76251d.exe	Dwm.exe
PID 1820 wrote to memory of 1212	1820	f76251d.exe	Explorer.EXE
PID 1820 wrote to memory of 1064	1820	f76251d.exe	DllHost.exe
PID 1820 wrote to memory of 2080	1820	f76251d.exe	rundll32.exe
PID 1820 wrote to memory of 2028	1820	f76251d.exe	rundll32.exe
PID 1820 wrote to memory of 2028	1820	f76251d.exe	rundll32.exe
PID 2028 wrote to memory of 2616	2028	rundll32.exe	f7626a3.exe
PID 2028 wrote to memory of 2616	2028	rundll32.exe	f7626a3.exe
PID 2028 wrote to memory of 2616	2028	rundll32.exe	f7626a3.exe
PID 2028 wrote to memory of 2616	2028	rundll32.exe	f7626a3.exe
PID 2028 wrote to memory of 1920	2028	rundll32.exe	f7640d7.exe
PID 2028 wrote to memory of 1920	2028	rundll32.exe	f7640d7.exe
PID 2028 wrote to memory of 1920	2028	rundll32.exe	f7640d7.exe
PID 2028 wrote to memory of 1920	2028	rundll32.exe	f7640d7.exe
PID 1820 wrote to memory of 1120	1820	f76251d.exe	taskhost.exe
PID 1820 wrote to memory of 1184	1820	f76251d.exe	Dwm.exe
PID 1820 wrote to memory of 1212	1820	f76251d.exe	Explorer.EXE
PID 1820 wrote to memory of 2616	1820	f76251d.exe	f7626a3.exe
PID 1820 wrote to memory of 2616	1820	f76251d.exe	f7626a3.exe
PID 1820 wrote to memory of 1920	1820	f76251d.exe	f7640d7.exe
PID 1820 wrote to memory of 1920	1820	f76251d.exe	f7640d7.exe
PID 1920 wrote to memory of 1120	1920	f7640d7.exe	taskhost.exe
PID 1920 wrote to memory of 1184	1920	f7640d7.exe	Dwm.exe
PID 1920 wrote to memory of 1212	1920	f7640d7.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f76251d.exef7640d7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76251d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7640d7.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\54dc2ed54bf0aa11e0ad1e3bd6907b78b8e15255c462758f148e03d34508da2a.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\54dc2ed54bf0aa11e0ad1e3bd6907b78b8e15255c462758f148e03d34508da2a.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\f76251d.exe
C:\Users\Admin\AppData\Local\Temp\f76251d.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820

C:\Users\Admin\AppData\Local\Temp\f7626a3.exe
C:\Users\Admin\AppData\Local\Temp\f7626a3.exe
4⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\Temp\f7640d7.exe
C:\Users\Admin\AppData\Local\Temp\f7640d7.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1064

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f76251d.exe
Filesize
97KB

MD5
3801d8d610074bf3fdacd1a0204104aa

SHA1
b19cfc2125e02c4b7f683e07f9157909d4b06652

SHA256
717580db47bb36a42e6dc35d7f0e772a4ddb211a326ab36a4baa4c6060acafa5

SHA512
d30c33bb44aa1ea293fdcc920eb3ddd29267f4326a0dc1a7ed6342a457560ddbc4a754f274c35e2c7924def781d45cd349b5f1562c91a8c071cbdc910e744cc3

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
a1ccea2681fdfd14c41bf4033b2d81cf

SHA1
d60bed497945f0c175220e6b7499e40608d03f29

SHA256
ae9ec865b9d500819a654d57f21e1c91076732c094b230e5b0e49ec35a3a37b7

SHA512
a6dbd0b850c79111061930aed77af222c30e312afbaa30d90dd6c5654a38342ed1e3b2095fe5afe76299ae732cd13b3bd07431334d1ad2b6031730fa78eaba80

Download Submit
memory/1120-30-0x0000000000210000-0x0000000000212000-memory.dmp

Filesize
8KB

Download
memory/1820-62-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-121-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-156-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-17-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-64-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-22-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-16-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-15-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-23-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-24-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1820-48-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1820-155-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1820-65-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-107-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-66-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-21-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-18-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-19-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-85-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-83-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-82-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-68-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-63-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1820-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1820-20-0x0000000000960000-0x0000000001A1A000-memory.dmp

Filesize
16.7MB

Download
memory/1920-104-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1920-103-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1920-210-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1920-211-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/1920-173-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/1920-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1920-106-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2028-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-59-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2028-76-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2028-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-57-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2028-60-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2028-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2028-38-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2028-39-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2028-47-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2028-2-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2616-105-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2616-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2616-183-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2616-97-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2616-96-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads