sality | 180c6b412b753ee16be4a404e308a150581156935a177f90365b9c825b3f1aa3

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1baf4fd93dab605677731f30c4b96c14_JaffaCakes118.dll
Size

120KB
MD5

1baf4fd93dab605677731f30c4b96c14
SHA1

2558a32f11a0db7e296eb6ffdaa360ea41f5a14e
SHA256

180c6b412b753ee16be4a404e308a150581156935a177f90365b9c825b3f1aa3
SHA512

d71ce496760ccfaaca012b685c09ed31276d9ac7325a11ff1db6423bb8b9192e0e2be33dee7d4657c6a2243ae2215c694ecbe603b1037ba74f9bdb02c228eb74
SSDEEP

3072:UTGuGG3rOgL8LK0lqCywCjALf4uSLPT6m05b:UhGAOgP00CfMA3u2m0F

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f7630c1.exef7632b4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7632b4.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7630c1.exef7632b4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7632b4.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7630c1.exef7632b4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7630c1.exe

Executes dropped EXE 3 IoCs

Processes:

f7630c1.exef7632b4.exef764c3c.exe

pid process

836 f7630c1.exe
2540 f7632b4.exe
2276 f764c3c.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2928 rundll32.exe
2928 rundll32.exe
2928 rundll32.exe
2928 rundll32.exe
2928 rundll32.exe
2928 rundll32.exe

pid	process
836	f7630c1.exe
2540	f7632b4.exe
2276	f764c3c.exe

pid	process
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/836-17-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-20-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-15-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-16-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-23-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-21-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-19-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-18-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-22-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-14-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-64-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-65-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-66-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-68-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-67-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-70-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-71-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-84-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-87-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-89-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/836-158-0x0000000000560000-0x000000000161A000-memory.dmp	upx
behavioral1/memory/2540-170-0x0000000000940000-0x00000000019FA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7630c1.exef7632b4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7630c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7632b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7630c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7632b4.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f7630c1.exef7632b4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7632b4.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7630c1.exe

description	ioc	process
File opened (read-only)	\??\J:	f7630c1.exe
File opened (read-only)	\??\K:	f7630c1.exe
File opened (read-only)	\??\P:	f7630c1.exe
File opened (read-only)	\??\Q:	f7630c1.exe
File opened (read-only)	\??\G:	f7630c1.exe
File opened (read-only)	\??\L:	f7630c1.exe
File opened (read-only)	\??\M:	f7630c1.exe
File opened (read-only)	\??\S:	f7630c1.exe
File opened (read-only)	\??\H:	f7630c1.exe
File opened (read-only)	\??\I:	f7630c1.exe
File opened (read-only)	\??\O:	f7630c1.exe
File opened (read-only)	\??\E:	f7630c1.exe
File opened (read-only)	\??\N:	f7630c1.exe
File opened (read-only)	\??\R:	f7630c1.exe

Drops file in Windows directory 3 IoCs

Processes:

f7630c1.exef7632b4.exe

description ioc process

File created C:\Windows\f76314d f7630c1.exe
File opened for modification C:\Windows\SYSTEM.INI f7630c1.exe
File created C:\Windows\f768131 f7632b4.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f7630c1.exe

pid process

836 f7630c1.exe
836 f7630c1.exe

description	ioc	process
File created	C:\Windows\f76314d	f7630c1.exe
File opened for modification	C:\Windows\SYSTEM.INI	f7630c1.exe
File created	C:\Windows\f768131	f7632b4.exe

pid	process
836	f7630c1.exe
836	f7630c1.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

f7630c1.exe

description	pid	process
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe
Token: SeDebugPrivilege	836	f7630c1.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

rundll32.exerundll32.exef7630c1.exe

description	pid	process	target process
PID 1684 wrote to memory of 2928	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2928	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2928	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2928	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2928	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2928	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2928	1684	rundll32.exe	rundll32.exe
PID 2928 wrote to memory of 836	2928	rundll32.exe	f7630c1.exe
PID 2928 wrote to memory of 836	2928	rundll32.exe	f7630c1.exe
PID 2928 wrote to memory of 836	2928	rundll32.exe	f7630c1.exe
PID 2928 wrote to memory of 836	2928	rundll32.exe	f7630c1.exe
PID 836 wrote to memory of 1104	836	f7630c1.exe	taskhost.exe
PID 836 wrote to memory of 1168	836	f7630c1.exe	Dwm.exe
PID 836 wrote to memory of 1204	836	f7630c1.exe	Explorer.EXE
PID 836 wrote to memory of 1624	836	f7630c1.exe	DllHost.exe
PID 836 wrote to memory of 1684	836	f7630c1.exe	rundll32.exe
PID 836 wrote to memory of 2928	836	f7630c1.exe	rundll32.exe
PID 836 wrote to memory of 2928	836	f7630c1.exe	rundll32.exe
PID 2928 wrote to memory of 2540	2928	rundll32.exe	f7632b4.exe
PID 2928 wrote to memory of 2540	2928	rundll32.exe	f7632b4.exe
PID 2928 wrote to memory of 2540	2928	rundll32.exe	f7632b4.exe
PID 2928 wrote to memory of 2540	2928	rundll32.exe	f7632b4.exe
PID 2928 wrote to memory of 2276	2928	rundll32.exe	f764c3c.exe
PID 2928 wrote to memory of 2276	2928	rundll32.exe	f764c3c.exe
PID 2928 wrote to memory of 2276	2928	rundll32.exe	f764c3c.exe
PID 2928 wrote to memory of 2276	2928	rundll32.exe	f764c3c.exe
PID 836 wrote to memory of 1104	836	f7630c1.exe	taskhost.exe
PID 836 wrote to memory of 1168	836	f7630c1.exe	Dwm.exe
PID 836 wrote to memory of 1204	836	f7630c1.exe	Explorer.EXE
PID 836 wrote to memory of 2540	836	f7630c1.exe	f7632b4.exe
PID 836 wrote to memory of 2540	836	f7630c1.exe	f7632b4.exe
PID 836 wrote to memory of 2276	836	f7630c1.exe	f764c3c.exe
PID 836 wrote to memory of 2276	836	f7630c1.exe	f764c3c.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f7630c1.exef7632b4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7630c1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7632b4.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1baf4fd93dab605677731f30c4b96c14_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1baf4fd93dab605677731f30c4b96c14_JaffaCakes118.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\f7630c1.exe
C:\Users\Admin\AppData\Local\Temp\f7630c1.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:836

C:\Users\Admin\AppData\Local\Temp\f7632b4.exe
C:\Users\Admin\AppData\Local\Temp\f7632b4.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2540

C:\Users\Admin\AppData\Local\Temp\f764c3c.exe
C:\Users\Admin\AppData\Local\Temp\f764c3c.exe
4⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1624

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
256B

MD5
e514a080a8680b7e72452e4573506bf1

SHA1
95b8b0830ea8890226ba1fb2a744e0bbf65d2f5b

SHA256
2fee70b8cb9b92466fcbeb1acf85f0a41dd4348ffdf3d583b322c88249798c5c

SHA512
a1b43c595c9cea1e8fc769d7058d120db2ae9a9eb9d021d0781f4ee598424008bca66fb5225aae1e66c3af6ccfac82908fcf1a8a146ab1d6b0633c3cc2335820

Download Submit
\Users\Admin\AppData\Local\Temp\f7630c1.exe
Filesize
97KB

MD5
69eeaa7600223a00ee5fad7164f9a4d1

SHA1
17a07dbabfb127b1d389e6f15bcfda25a8c3f423

SHA256
470301e32c0277616e4a06267d7de20651538b670e41b9f45c028f49275630eb

SHA512
9dc79459178ad036772d45b3011512a30b033071346c33496234009d0ef7b4ccaac37b740760eef23bd613afa31e92c1ef51990d690ee5df23a4dc43eafa3f72

Download Submit
memory/836-87-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-158-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-157-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/836-17-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-20-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-15-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-16-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/836-43-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/836-23-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-21-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-19-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-18-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-152-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/836-14-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-60-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/836-58-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/836-89-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-22-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-84-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-64-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-71-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-70-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-67-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-68-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-65-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/836-66-0x0000000000560000-0x000000000161A000-memory.dmp

Filesize
16.7MB

Download
memory/1104-24-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2276-110-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2276-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2276-109-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2276-177-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2540-108-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2540-100-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2540-170-0x0000000000940000-0x00000000019FA000-memory.dmp

Filesize
16.7MB

Download
memory/2540-173-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2540-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2540-99-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2928-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2928-3-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2928-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2928-44-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2928-35-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2928-54-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2928-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2928-80-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2928-52-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2928-36-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads