sality | 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2

General

Target

5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
Size

567KB
MD5

742fa4d87468c0627133ec45629c692d
SHA1

d9bb92a9b3a050394f8008d76e94eb8cffb82787
SHA256

5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2
SHA512

70218d835228e6180971e833ef477f9e8648bc03d877b466d8d4778f7598278dab46bec44767265c7a66873eea09d7a13d36496d156c53e4fcc1893db17b9bb4

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svhost.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

svhost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svhost.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svhost.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

svhost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	svhost.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

1052 svhost.exe

pid	process
1052	svhost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1052-61-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1052-63-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1052-65-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1052-69-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1052-71-0x0000000002C10000-0x0000000003C9E000-memory.dmp	upx
behavioral1/memory/1052-72-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1052-75-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1052-76-0x0000000002C10000-0x0000000003C9E000-memory.dmp	upx
behavioral1/memory/1052-82-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1052-83-0x0000000002C10000-0x0000000003C9E000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe.lnk	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe

Loads dropped DLL 1 IoCs

Processes:

5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe

pid process

2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svhost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

svhost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svhost.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svhost.exe

description	ioc	process
File opened (read-only)	\??\F:	svhost.exe
File opened (read-only)	\??\G:	svhost.exe
File opened (read-only)	\??\J:	svhost.exe
File opened (read-only)	\??\K:	svhost.exe
File opened (read-only)	\??\O:	svhost.exe
File opened (read-only)	\??\U:	svhost.exe
File opened (read-only)	\??\X:	svhost.exe
File opened (read-only)	\??\E:	svhost.exe
File opened (read-only)	\??\Z:	svhost.exe
File opened (read-only)	\??\W:	svhost.exe
File opened (read-only)	\??\V:	svhost.exe
File opened (read-only)	\??\M:	svhost.exe
File opened (read-only)	\??\N:	svhost.exe
File opened (read-only)	\??\Q:	svhost.exe
File opened (read-only)	\??\R:	svhost.exe
File opened (read-only)	\??\S:	svhost.exe
File opened (read-only)	\??\T:	svhost.exe
File opened (read-only)	\??\Y:	svhost.exe
File opened (read-only)	\??\I:	svhost.exe
File opened (read-only)	\??\L:	svhost.exe
File opened (read-only)	\??\P:	svhost.exe
File opened (read-only)	\??\H:	svhost.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

svhost.exe

description ioc process

File opened for modification C:\autorun.inf svhost.exe

description	ioc	process
File opened for modification	C:\autorun.inf	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe

description	pid	process	target process
PID 2000 set thread context of 1052	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	svhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

svhost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	svhost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	svhost.exe

Drops file in Windows directory 1 IoCs

Processes:

svhost.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Windows\svhost.exe:Zone.Identifier cmd.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	svhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Windows\svhost.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exesvhost.exe

pid	process
2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
1052	svhost.exe
2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe
1052	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
Token: SeDebugPrivilege	1052	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svhost.exe

pid process

1052 svhost.exe

pid	process
1052	svhost.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.execmd.exesvhost.exe

description	pid	process	target process
PID 2000 wrote to memory of 1272	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	cmd.exe
PID 2000 wrote to memory of 1272	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	cmd.exe
PID 2000 wrote to memory of 1272	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	cmd.exe
PID 2000 wrote to memory of 1272	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	cmd.exe
PID 1272 wrote to memory of 1248	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 1248	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 1248	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 1248	1272	cmd.exe	reg.exe
PID 2000 wrote to memory of 1052	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	svhost.exe
PID 2000 wrote to memory of 1052	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	svhost.exe
PID 2000 wrote to memory of 1052	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	svhost.exe
PID 2000 wrote to memory of 1052	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	svhost.exe
PID 2000 wrote to memory of 1052	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	svhost.exe
PID 2000 wrote to memory of 1052	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	svhost.exe
PID 2000 wrote to memory of 1052	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	svhost.exe
PID 2000 wrote to memory of 1052	2000	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe	svhost.exe
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 2000	1052	svhost.exe	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
PID 1052 wrote to memory of 2000	1052	svhost.exe	5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE
PID 1052 wrote to memory of 1104	1052	svhost.exe	taskhost.exe
PID 1052 wrote to memory of 1164	1052	svhost.exe	Dwm.exe
PID 1052 wrote to memory of 1212	1052	svhost.exe	Explorer.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svhost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
"C:\Users\Admin\AppData\Local\Temp\5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows\svhost.exe.lnk" /f
4⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1052

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\svhost.exe
Filesize
567KB

MD5
742fa4d87468c0627133ec45629c692d

SHA1
d9bb92a9b3a050394f8008d76e94eb8cffb82787

SHA256
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2

SHA512
70218d835228e6180971e833ef477f9e8648bc03d877b466d8d4778f7598278dab46bec44767265c7a66873eea09d7a13d36496d156c53e4fcc1893db17b9bb4

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
memory/1052-69-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1052-65-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1052-60-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1052-61-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1052-63-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1052-66-0x00000000004629D0-mapping.dmp

Download
memory/1052-78-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1052-82-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1052-84-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1052-71-0x0000000002C10000-0x0000000003C9E000-memory.dmp

Filesize
16.6MB

Download
memory/1052-72-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1052-75-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1052-76-0x0000000002C10000-0x0000000003C9E000-memory.dmp

Filesize
16.6MB

Download
memory/1052-83-0x0000000002C10000-0x0000000003C9E000-memory.dmp

Filesize
16.6MB

Download
memory/1248-57-0x0000000000000000-mapping.dmp

Download
memory/1272-56-0x0000000000000000-mapping.dmp

Download
memory/2000-80-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-81-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-55-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-77-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/2000-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads