sality | ddf559b3ff64dd4f97fbcdb714bdd5080dee3ec2e05490e02639c4ade47a234c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddf559b3ff64dd4f97fbcdb714bdd5080dee3ec2e05490e02639c4ade47a234c.dll
Size

120KB
MD5

0dc89f9b7a17746391e7e9d921696fcb
SHA1

5ea70ee11755c803f591675c2158b1556a3da4b8
SHA256

ddf559b3ff64dd4f97fbcdb714bdd5080dee3ec2e05490e02639c4ade47a234c
SHA512

0b546c4328b00e4f8a5487dd970bf59888604f2db191fdef9ab398a7b37994f96c68906bbe3f1bdd4709abec7696bb443973ba58d590596c7e5d704a4a9bf4c0
SSDEEP

3072:wuY2rvoQC6+YzK+0kmqzJMy9PXTEPXIKY0bxEYB:xoV6+JHkDtR9PYPYP0bxEY

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f763b9a.exef760f7b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f763b9a.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f760f7b.exef763b9a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f763b9a.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f760f7b.exef763b9a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f763b9a.exe

Executes dropped EXE 3 IoCs

Processes:

f760f7b.exef761120.exef763b9a.exe

pid process

2404 f760f7b.exe
2804 f761120.exe
2952 f763b9a.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2220 rundll32.exe
2220 rundll32.exe
2220 rundll32.exe
2220 rundll32.exe
2220 rundll32.exe
2220 rundll32.exe

pid	process
2404	f760f7b.exe
2804	f761120.exe
2952	f763b9a.exe

pid	process
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2404-14-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-17-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-16-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-42-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-22-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-20-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-15-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-21-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-19-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-18-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-64-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-65-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-66-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-67-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-68-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-82-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-96-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-97-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-101-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-105-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-106-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-114-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-116-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2404-139-0x0000000000710000-0x00000000017CA000-memory.dmp	upx
behavioral1/memory/2952-155-0x0000000000640000-0x00000000016FA000-memory.dmp	upx
behavioral1/memory/2952-207-0x0000000000640000-0x00000000016FA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f760f7b.exef763b9a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760f7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f763b9a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760f7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f760f7b.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f760f7b.exef763b9a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f763b9a.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f760f7b.exef763b9a.exe

description	ioc	process
File opened (read-only)	\??\E:	f760f7b.exe
File opened (read-only)	\??\G:	f760f7b.exe
File opened (read-only)	\??\H:	f760f7b.exe
File opened (read-only)	\??\M:	f760f7b.exe
File opened (read-only)	\??\G:	f763b9a.exe
File opened (read-only)	\??\I:	f760f7b.exe
File opened (read-only)	\??\J:	f760f7b.exe
File opened (read-only)	\??\K:	f760f7b.exe
File opened (read-only)	\??\E:	f763b9a.exe
File opened (read-only)	\??\H:	f763b9a.exe
File opened (read-only)	\??\L:	f760f7b.exe
File opened (read-only)	\??\N:	f760f7b.exe
File opened (read-only)	\??\I:	f763b9a.exe
File opened (read-only)	\??\J:	f763b9a.exe

Drops file in Windows directory 3 IoCs

Processes:

f760f7b.exef763b9a.exe

description ioc process

File created C:\Windows\f760fe8 f760f7b.exe
File opened for modification C:\Windows\SYSTEM.INI f760f7b.exe
File created C:\Windows\f7662f7 f763b9a.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f760f7b.exef763b9a.exe

pid process

2404 f760f7b.exe
2404 f760f7b.exe
2952 f763b9a.exe

description	ioc	process
File created	C:\Windows\f760fe8	f760f7b.exe
File opened for modification	C:\Windows\SYSTEM.INI	f760f7b.exe
File created	C:\Windows\f7662f7	f763b9a.exe

pid	process
2404	f760f7b.exe
2404	f760f7b.exe
2952	f763b9a.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f760f7b.exef763b9a.exe

description	pid	process
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2404	f760f7b.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe
Token: SeDebugPrivilege	2952	f763b9a.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

rundll32.exerundll32.exef760f7b.exef763b9a.exe

description	pid	process	target process
PID 2464 wrote to memory of 2220	2464	rundll32.exe	rundll32.exe
PID 2464 wrote to memory of 2220	2464	rundll32.exe	rundll32.exe
PID 2464 wrote to memory of 2220	2464	rundll32.exe	rundll32.exe
PID 2464 wrote to memory of 2220	2464	rundll32.exe	rundll32.exe
PID 2464 wrote to memory of 2220	2464	rundll32.exe	rundll32.exe
PID 2464 wrote to memory of 2220	2464	rundll32.exe	rundll32.exe
PID 2464 wrote to memory of 2220	2464	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 2404	2220	rundll32.exe	f760f7b.exe
PID 2220 wrote to memory of 2404	2220	rundll32.exe	f760f7b.exe
PID 2220 wrote to memory of 2404	2220	rundll32.exe	f760f7b.exe
PID 2220 wrote to memory of 2404	2220	rundll32.exe	f760f7b.exe
PID 2404 wrote to memory of 1172	2404	f760f7b.exe	taskhost.exe
PID 2404 wrote to memory of 1268	2404	f760f7b.exe	Dwm.exe
PID 2404 wrote to memory of 1312	2404	f760f7b.exe	Explorer.EXE
PID 2404 wrote to memory of 1356	2404	f760f7b.exe	DllHost.exe
PID 2404 wrote to memory of 2464	2404	f760f7b.exe	rundll32.exe
PID 2404 wrote to memory of 2220	2404	f760f7b.exe	rundll32.exe
PID 2404 wrote to memory of 2220	2404	f760f7b.exe	rundll32.exe
PID 2220 wrote to memory of 2804	2220	rundll32.exe	f761120.exe
PID 2220 wrote to memory of 2804	2220	rundll32.exe	f761120.exe
PID 2220 wrote to memory of 2804	2220	rundll32.exe	f761120.exe
PID 2220 wrote to memory of 2804	2220	rundll32.exe	f761120.exe
PID 2404 wrote to memory of 1172	2404	f760f7b.exe	taskhost.exe
PID 2404 wrote to memory of 1268	2404	f760f7b.exe	Dwm.exe
PID 2404 wrote to memory of 1312	2404	f760f7b.exe	Explorer.EXE
PID 2404 wrote to memory of 2464	2404	f760f7b.exe	rundll32.exe
PID 2404 wrote to memory of 2804	2404	f760f7b.exe	f761120.exe
PID 2404 wrote to memory of 2804	2404	f760f7b.exe	f761120.exe
PID 2220 wrote to memory of 2952	2220	rundll32.exe	f763b9a.exe
PID 2220 wrote to memory of 2952	2220	rundll32.exe	f763b9a.exe
PID 2220 wrote to memory of 2952	2220	rundll32.exe	f763b9a.exe
PID 2220 wrote to memory of 2952	2220	rundll32.exe	f763b9a.exe
PID 2952 wrote to memory of 1172	2952	f763b9a.exe	taskhost.exe
PID 2952 wrote to memory of 1268	2952	f763b9a.exe	Dwm.exe
PID 2952 wrote to memory of 1312	2952	f763b9a.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f760f7b.exef763b9a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760f7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f763b9a.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1172

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1268

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1312

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ddf559b3ff64dd4f97fbcdb714bdd5080dee3ec2e05490e02639c4ade47a234c.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ddf559b3ff64dd4f97fbcdb714bdd5080dee3ec2e05490e02639c4ade47a234c.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\f760f7b.exe
C:\Users\Admin\AppData\Local\Temp\f760f7b.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2404

C:\Users\Admin\AppData\Local\Temp\f761120.exe
C:\Users\Admin\AppData\Local\Temp\f761120.exe
4⤵
- Executes dropped EXE
PID:2804

C:\Users\Admin\AppData\Local\Temp\f763b9a.exe
C:\Users\Admin\AppData\Local\Temp\f763b9a.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1356

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
521fcec7f5c20b9575b61354ebe0cf51

SHA1
0a03c57ee75cefd9822fe9d601231b0cf2436fe4

SHA256
a5186deb1b335f0d24e90043c2d343d4f9237ee92de506b0292879f368b45896

SHA512
3833c6dc04cd38f984e972373a3c884e0f2b551c410fe874035f5bcb9670d17b28d77fc427de6dc6fe67d77462393ba3c0961c80ab86f1e065b73b19d50ff7f6

Download Submit
\Users\Admin\AppData\Local\Temp\f760f7b.exe
Filesize
97KB

MD5
eaa5e1d1ecda27ec55a425b796bf1be5

SHA1
c5ef3173b285920a4c1a286cca28db5bdd556836

SHA256
f824decdf7f216d5b26c4017ad2bac5e987e871fc27ea40659c2b705f1b838e9

SHA512
24b97d70c44756d5ddba35aca72af2417640d033b316aec65f7e21d056d8dc173eac72d4098d1573d21542f6d58697d587d4a06c59a0c228f2dd8c8bc48164c5

Download Submit
memory/1172-23-0x0000000000410000-0x0000000000412000-memory.dmp

Filesize
8KB

Download
memory/2220-94-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2220-8-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2220-91-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2220-33-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2220-9-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2220-52-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2220-43-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2220-54-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/2220-55-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2220-10-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2220-32-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2404-64-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-106-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-20-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-21-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2404-22-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-42-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-19-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-18-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-44-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2404-62-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2404-63-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2404-16-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-65-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-66-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-67-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-68-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-139-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2404-116-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-82-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-17-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-14-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-114-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-96-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-97-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-101-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-105-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2404-15-0x0000000000710000-0x00000000017CA000-memory.dmp

Filesize
16.7MB

Download
memory/2804-81-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2804-79-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2804-80-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2804-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2804-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-95-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-155-0x0000000000640000-0x00000000016FA000-memory.dmp

Filesize
16.7MB

Download
memory/2952-207-0x0000000000640000-0x00000000016FA000-memory.dmp

Filesize
16.7MB

Download
memory/2952-206-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads