sality | 064594771fd6de5d606d49b66f68066fbe33659fce1fce7e04e5591f8f50ed32

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064594771fd6de5d606d49b66f68066fbe33659fce1fce7e04e5591f8f50ed32.dll
Size

120KB
MD5

4681e5f309b44761f9e39c57a1168ab7
SHA1

4fbb7aea9887698d189424525f7109184fb7bd34
SHA256

064594771fd6de5d606d49b66f68066fbe33659fce1fce7e04e5591f8f50ed32
SHA512

a4f3b216706b29d587bd496f9cb026853fd4a85f9e584c69cf6fc8aa3671d68354ea8c82c820e0b85541db9a5ef071973dd6bd19f1daaadbc2d2b17bc15bba13
SSDEEP

3072:hHLI9KerBaHVg3/kfWPmdEhfaLaqIL389xjosGM:BLMruVg3vPPhfnhQ9xjo

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f762388.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f762388.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7641c1.exef762388.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762388.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f762388.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7641c1.exe

Executes dropped EXE 3 IoCs

Processes:

f762388.exef76251d.exef7641c1.exe

pid process

1264 f762388.exe
2272 f76251d.exe
2176 f7641c1.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2212 rundll32.exe
2212 rundll32.exe
2212 rundll32.exe
2212 rundll32.exe
2212 rundll32.exe
2212 rundll32.exe

pid	process
1264	f762388.exe
2272	f76251d.exe
2176	f7641c1.exe

pid	process
2212	rundll32.exe
2212	rundll32.exe
2212	rundll32.exe
2212	rundll32.exe
2212	rundll32.exe
2212	rundll32.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1264-12-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-16-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-19-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-22-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-17-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-21-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-20-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-18-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-15-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-14-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-57-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-58-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-63-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-65-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-64-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-67-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-68-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-70-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-84-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-88-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-110-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/1264-152-0x0000000000680000-0x000000000173A000-memory.dmp	upx
behavioral1/memory/2176-166-0x0000000000920000-0x00000000019DA000-memory.dmp	upx
behavioral1/memory/2176-208-0x0000000000920000-0x00000000019DA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f762388.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7641c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7641c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7641c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7641c1.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f762388.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7641c1.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f762388.exef7641c1.exe

description	ioc	process
File opened (read-only)	\??\J:	f762388.exe
File opened (read-only)	\??\O:	f762388.exe
File opened (read-only)	\??\T:	f762388.exe
File opened (read-only)	\??\E:	f7641c1.exe
File opened (read-only)	\??\G:	f7641c1.exe
File opened (read-only)	\??\H:	f762388.exe
File opened (read-only)	\??\K:	f762388.exe
File opened (read-only)	\??\P:	f762388.exe
File opened (read-only)	\??\Q:	f762388.exe
File opened (read-only)	\??\R:	f762388.exe
File opened (read-only)	\??\E:	f762388.exe
File opened (read-only)	\??\I:	f762388.exe
File opened (read-only)	\??\L:	f762388.exe
File opened (read-only)	\??\G:	f762388.exe
File opened (read-only)	\??\M:	f762388.exe
File opened (read-only)	\??\N:	f762388.exe
File opened (read-only)	\??\S:	f762388.exe

Drops file in Windows directory 3 IoCs

Processes:

f762388.exef7641c1.exe

description ioc process

File created C:\Windows\f7623d6 f762388.exe
File opened for modification C:\Windows\SYSTEM.INI f762388.exe
File created C:\Windows\f7673e8 f7641c1.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f762388.exef7641c1.exe

pid process

1264 f762388.exe
1264 f762388.exe
2176 f7641c1.exe

description	ioc	process
File created	C:\Windows\f7623d6	f762388.exe
File opened for modification	C:\Windows\SYSTEM.INI	f762388.exe
File created	C:\Windows\f7673e8	f7641c1.exe

pid	process
1264	f762388.exe
1264	f762388.exe
2176	f7641c1.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f762388.exef7641c1.exe

description	pid	process
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	1264	f762388.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe
Token: SeDebugPrivilege	2176	f7641c1.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef762388.exef7641c1.exe

description	pid	process	target process
PID 2208 wrote to memory of 2212	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2212	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2212	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2212	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2212	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2212	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2212	2208	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 1264	2212	rundll32.exe	f762388.exe
PID 2212 wrote to memory of 1264	2212	rundll32.exe	f762388.exe
PID 2212 wrote to memory of 1264	2212	rundll32.exe	f762388.exe
PID 2212 wrote to memory of 1264	2212	rundll32.exe	f762388.exe
PID 1264 wrote to memory of 1100	1264	f762388.exe	taskhost.exe
PID 1264 wrote to memory of 1156	1264	f762388.exe	Dwm.exe
PID 1264 wrote to memory of 1184	1264	f762388.exe	Explorer.EXE
PID 1264 wrote to memory of 1732	1264	f762388.exe	DllHost.exe
PID 1264 wrote to memory of 2208	1264	f762388.exe	rundll32.exe
PID 1264 wrote to memory of 2212	1264	f762388.exe	rundll32.exe
PID 1264 wrote to memory of 2212	1264	f762388.exe	rundll32.exe
PID 2212 wrote to memory of 2272	2212	rundll32.exe	f76251d.exe
PID 2212 wrote to memory of 2272	2212	rundll32.exe	f76251d.exe
PID 2212 wrote to memory of 2272	2212	rundll32.exe	f76251d.exe
PID 2212 wrote to memory of 2272	2212	rundll32.exe	f76251d.exe
PID 2212 wrote to memory of 2176	2212	rundll32.exe	f7641c1.exe
PID 2212 wrote to memory of 2176	2212	rundll32.exe	f7641c1.exe
PID 2212 wrote to memory of 2176	2212	rundll32.exe	f7641c1.exe
PID 2212 wrote to memory of 2176	2212	rundll32.exe	f7641c1.exe
PID 1264 wrote to memory of 1100	1264	f762388.exe	taskhost.exe
PID 1264 wrote to memory of 1156	1264	f762388.exe	Dwm.exe
PID 1264 wrote to memory of 1184	1264	f762388.exe	Explorer.EXE
PID 1264 wrote to memory of 2272	1264	f762388.exe	f76251d.exe
PID 1264 wrote to memory of 2272	1264	f762388.exe	f76251d.exe
PID 1264 wrote to memory of 2176	1264	f762388.exe	f7641c1.exe
PID 1264 wrote to memory of 2176	1264	f762388.exe	f7641c1.exe
PID 2176 wrote to memory of 1100	2176	f7641c1.exe	taskhost.exe
PID 2176 wrote to memory of 1156	2176	f7641c1.exe	Dwm.exe
PID 2176 wrote to memory of 1184	2176	f7641c1.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f762388.exef7641c1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7641c1.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\064594771fd6de5d606d49b66f68066fbe33659fce1fce7e04e5591f8f50ed32.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\064594771fd6de5d606d49b66f68066fbe33659fce1fce7e04e5591f8f50ed32.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\f762388.exe
C:\Users\Admin\AppData\Local\Temp\f762388.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1264

C:\Users\Admin\AppData\Local\Temp\f76251d.exe
C:\Users\Admin\AppData\Local\Temp\f76251d.exe
4⤵
- Executes dropped EXE
PID:2272

C:\Users\Admin\AppData\Local\Temp\f7641c1.exe
C:\Users\Admin\AppData\Local\Temp\f7641c1.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1732

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
b47330b7ee0ce4aac6c38cd593f4a51e

SHA1
fbd6531363c66fa5d48b6d2aefeda933f71a7423

SHA256
091ca8ecddf0da6b052c4a2c7752b13c3c6362b41310a80b7c63e5287cb6ef12

SHA512
2488862567d7f7118a7dd9947206baab4ade369bb4835dc274806323adcbfe8acde4b28e408d1aab646904f073ce3e86528e3d77191139fc2a7639369e4b6226

Download Submit
\Users\Admin\AppData\Local\Temp\f762388.exe
Filesize
97KB

MD5
f5f6a55c00b3aec25834f85933fb04da

SHA1
7187cf6b5f85433695bbf6b45fb20e119ff90fee

SHA256
0dccd6f16614713dc8eed76b24d67a576f663c3dc37ccba3c3534de98deae16c

SHA512
2b5b32aba92f13747e34e446f505b80e92ba0917671a627731b690601dbb0ca27c6a450140e65b4c20e3456d7ddf1888850f071d441785d290576f9978e98ad2

Download Submit
memory/1100-28-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/1264-123-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1264-110-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-12-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-16-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-19-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-22-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-17-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-48-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1264-152-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-21-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-46-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1264-67-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-20-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1264-88-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1264-18-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-15-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-14-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-57-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-58-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-84-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-70-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-68-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-59-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1264-63-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-65-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/1264-64-0x0000000000680000-0x000000000173A000-memory.dmp

Filesize
16.7MB

Download
memory/2176-104-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2176-105-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2176-208-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/2176-207-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2176-166-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/2176-85-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2176-107-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2212-55-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2212-37-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2212-61-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2212-82-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download
memory/2212-36-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2212-81-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2212-9-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2212-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2212-45-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2212-60-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2212-8-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2272-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2272-108-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2272-180-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2272-106-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2272-98-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads