sality | fe4a4a5749d8ccc09f0e4170747f4047bd9bf267ca15d6ba280d042f3cd71c35

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe4a4a5749d8ccc09f0e4170747f4047bd9bf267ca15d6ba280d042f3cd71c35.dll
Size

120KB
MD5

15c6cebce9096f47ec9690515423b838
SHA1

48cb33447ec511155efd86a2024cb091c5fe55fc
SHA256

fe4a4a5749d8ccc09f0e4170747f4047bd9bf267ca15d6ba280d042f3cd71c35
SHA512

4d69b5bfb8a9b1c016be52753a5878ea33984fecb10875da7031212663107e447f92b72a9aa157d4a57fba4ef6e27e4ece03628fa2fc77f8be6f0894169503a6
SSDEEP

1536:WOc/nxJMWRdf9iSj60XL0L7U0qT9YE+U6W5qUu4YpLzBt/OXJVB:Hcn7ke4qyEhqU36fGXJV

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f761b0f.exef76197a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f76197a.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76197a.exef761b0f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761b0f.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76197a.exef761b0f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761b0f.exe

Executes dropped EXE 3 IoCs

Processes:

f76197a.exef761b0f.exef763553.exe

pid process

1936 f76197a.exe
2672 f761b0f.exe
2100 f763553.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

1740 rundll32.exe
1740 rundll32.exe
1740 rundll32.exe
1740 rundll32.exe
1740 rundll32.exe
1740 rundll32.exe

pid	process
1936	f76197a.exe
2672	f761b0f.exe
2100	f763553.exe

pid	process
1740	rundll32.exe
1740	rundll32.exe
1740	rundll32.exe
1740	rundll32.exe
1740	rundll32.exe
1740	rundll32.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1936-12-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-16-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-19-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-17-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-22-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-18-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-15-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-21-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-14-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-20-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-64-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-65-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-66-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-68-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-67-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-70-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-71-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-85-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-89-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-92-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/1936-153-0x00000000005A0000-0x000000000165A000-memory.dmp	upx
behavioral1/memory/2672-166-0x0000000000930000-0x00000000019EA000-memory.dmp	upx
behavioral1/memory/2672-179-0x0000000000930000-0x00000000019EA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76197a.exef761b0f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76197a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761b0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761b0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761b0f.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f76197a.exef761b0f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761b0f.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f76197a.exe

description	ioc	process
File opened (read-only)	\??\H:	f76197a.exe
File opened (read-only)	\??\I:	f76197a.exe
File opened (read-only)	\??\N:	f76197a.exe
File opened (read-only)	\??\R:	f76197a.exe
File opened (read-only)	\??\G:	f76197a.exe
File opened (read-only)	\??\P:	f76197a.exe
File opened (read-only)	\??\L:	f76197a.exe
File opened (read-only)	\??\K:	f76197a.exe
File opened (read-only)	\??\M:	f76197a.exe
File opened (read-only)	\??\O:	f76197a.exe
File opened (read-only)	\??\Q:	f76197a.exe
File opened (read-only)	\??\S:	f76197a.exe
File opened (read-only)	\??\T:	f76197a.exe
File opened (read-only)	\??\E:	f76197a.exe
File opened (read-only)	\??\J:	f76197a.exe

Drops file in Windows directory 3 IoCs

Processes:

f76197a.exef761b0f.exe

description ioc process

File created C:\Windows\f7619f6 f76197a.exe
File opened for modification C:\Windows\SYSTEM.INI f76197a.exe
File created C:\Windows\f76698c f761b0f.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f76197a.exef761b0f.exe

pid process

1936 f76197a.exe
1936 f76197a.exe
2672 f761b0f.exe

description	ioc	process
File created	C:\Windows\f7619f6	f76197a.exe
File opened for modification	C:\Windows\SYSTEM.INI	f76197a.exe
File created	C:\Windows\f76698c	f761b0f.exe

pid	process
1936	f76197a.exe
1936	f76197a.exe
2672	f761b0f.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

f76197a.exef761b0f.exe

description	pid	process
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	1936	f76197a.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe
Token: SeDebugPrivilege	2672	f761b0f.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

rundll32.exerundll32.exef76197a.exe

description	pid	process	target process
PID 1700 wrote to memory of 1740	1700	rundll32.exe	rundll32.exe
PID 1700 wrote to memory of 1740	1700	rundll32.exe	rundll32.exe
PID 1700 wrote to memory of 1740	1700	rundll32.exe	rundll32.exe
PID 1700 wrote to memory of 1740	1700	rundll32.exe	rundll32.exe
PID 1700 wrote to memory of 1740	1700	rundll32.exe	rundll32.exe
PID 1700 wrote to memory of 1740	1700	rundll32.exe	rundll32.exe
PID 1700 wrote to memory of 1740	1700	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1936	1740	rundll32.exe	f76197a.exe
PID 1740 wrote to memory of 1936	1740	rundll32.exe	f76197a.exe
PID 1740 wrote to memory of 1936	1740	rundll32.exe	f76197a.exe
PID 1740 wrote to memory of 1936	1740	rundll32.exe	f76197a.exe
PID 1936 wrote to memory of 1124	1936	f76197a.exe	taskhost.exe
PID 1936 wrote to memory of 1172	1936	f76197a.exe	Dwm.exe
PID 1936 wrote to memory of 1204	1936	f76197a.exe	Explorer.EXE
PID 1936 wrote to memory of 1076	1936	f76197a.exe	DllHost.exe
PID 1936 wrote to memory of 1700	1936	f76197a.exe	rundll32.exe
PID 1936 wrote to memory of 1740	1936	f76197a.exe	rundll32.exe
PID 1936 wrote to memory of 1740	1936	f76197a.exe	rundll32.exe
PID 1740 wrote to memory of 2672	1740	rundll32.exe	f761b0f.exe
PID 1740 wrote to memory of 2672	1740	rundll32.exe	f761b0f.exe
PID 1740 wrote to memory of 2672	1740	rundll32.exe	f761b0f.exe
PID 1740 wrote to memory of 2672	1740	rundll32.exe	f761b0f.exe
PID 1740 wrote to memory of 2100	1740	rundll32.exe	f763553.exe
PID 1740 wrote to memory of 2100	1740	rundll32.exe	f763553.exe
PID 1740 wrote to memory of 2100	1740	rundll32.exe	f763553.exe
PID 1740 wrote to memory of 2100	1740	rundll32.exe	f763553.exe
PID 1936 wrote to memory of 1124	1936	f76197a.exe	taskhost.exe
PID 1936 wrote to memory of 1172	1936	f76197a.exe	Dwm.exe
PID 1936 wrote to memory of 1204	1936	f76197a.exe	Explorer.EXE
PID 1936 wrote to memory of 2672	1936	f76197a.exe	f761b0f.exe
PID 1936 wrote to memory of 2672	1936	f76197a.exe	f761b0f.exe
PID 1936 wrote to memory of 2100	1936	f76197a.exe	f763553.exe
PID 1936 wrote to memory of 2100	1936	f76197a.exe	f763553.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f76197a.exef761b0f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76197a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761b0f.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe4a4a5749d8ccc09f0e4170747f4047bd9bf267ca15d6ba280d042f3cd71c35.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe4a4a5749d8ccc09f0e4170747f4047bd9bf267ca15d6ba280d042f3cd71c35.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\f76197a.exe
C:\Users\Admin\AppData\Local\Temp\f76197a.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1936

C:\Users\Admin\AppData\Local\Temp\f761b0f.exe
C:\Users\Admin\AppData\Local\Temp\f761b0f.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2672

C:\Users\Admin\AppData\Local\Temp\f763553.exe
C:\Users\Admin\AppData\Local\Temp\f763553.exe
4⤵
- Executes dropped EXE
PID:2100

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1076

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f76197a.exe
Filesize
97KB

MD5
521d44248f71fd70daca880e607264a9

SHA1
baebd9df2e67d199772df090468adf15bf6c9834

SHA256
0e33ad768ce049b4a2f5bfe498a1b9c19388254d2eb420754515d4ff4194d267

SHA512
7e267dadfe1580f3473afa91eedeb39304483412cdff61920b91676abb7cbc0a6f6053b4fbda54d1c3dfbc5e507c22c069fbc9f4cca973f2e6216f172809ba0b

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
ea2511ae9454b9cfcf4db58150dc45c7

SHA1
8e2c7075307830a9bcf0ff524cddc6a2ea80f452

SHA256
ad791c445cfece3c03f9a8c9e270740992e8396fb8ea0909fdb430c04fba3839

SHA512
73717b344a640e26c2ecb9446b014f9179452da02451a7505ba005fbb5154ab6105751985765613c5d72add88b39bfc36a8e67ffa379c2c0d1a477e952487b46

Download Submit
memory/1124-23-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/1740-11-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/1740-9-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/1740-79-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1740-83-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/1740-84-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/1740-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1740-52-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1740-54-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1740-33-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1740-34-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1740-43-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1740-53-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/1936-64-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-16-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-44-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1936-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1936-15-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-58-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1936-57-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1936-22-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-21-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-14-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-20-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-17-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-65-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-66-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-68-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-67-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-70-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-71-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-19-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-18-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-153-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-85-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-12-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-89-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-92-0x00000000005A0000-0x000000000165A000-memory.dmp

Filesize
16.7MB

Download
memory/1936-154-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1936-132-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/2100-109-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2100-106-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2100-107-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2100-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2100-184-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2672-108-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2672-102-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2672-101-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2672-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2672-166-0x0000000000930000-0x00000000019EA000-memory.dmp

Filesize
16.7MB

Download
memory/2672-180-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2672-179-0x0000000000930000-0x00000000019EA000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads