sality | 880e5a11c5dc597bef079d42bb3d7ee054ee236c213cdb996306f561bae455bc

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

880e5a11c5dc597bef079d42bb3d7ee054ee236c213cdb996306f561bae455bc.dll
Size

120KB
MD5

8d6eb02480c0ba49c2b32b6d0c05ffd1
SHA1

1b4bcb418e9703e17f79d6eae12825c07c3fc47b
SHA256

880e5a11c5dc597bef079d42bb3d7ee054ee236c213cdb996306f561bae455bc
SHA512

30d7f68161374e070d58c6d139ba92f00a9b260da9bc443029c8d0c7a1439f8652f857787a29fe69cf11f85147ed9d63980e9461d1bcf85b52cee349b57b4697
SSDEEP

3072:92InALuPiyh0gx8Wopx11lBz87OTreeT39:znALuPirzy7Onh

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

f76564a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f76564a.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

f76564a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76564a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76564a.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76564a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76564a.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2392-12-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-15-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-16-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-19-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-23-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-26-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-30-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-40-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-54-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-56-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-57-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-58-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-59-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-60-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-77-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-78-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-79-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-82-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-84-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-85-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-89-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2392-91-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 27 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2392-13-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2392-12-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-15-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-16-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-19-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-23-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-26-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-30-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2972-52-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2392-40-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-54-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-56-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-57-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-58-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-59-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-60-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/3000-76-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2392-77-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-78-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-79-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-82-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-84-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-85-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-89-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2392-91-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2972-105-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/3000-106-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

f76564a.exef766049.exef7670fb.exe

pid process

2392 f76564a.exe
2972 f766049.exe
3000 f7670fb.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2356 rundll32.exe
2356 rundll32.exe
2356 rundll32.exe
2356 rundll32.exe
2356 rundll32.exe
2356 rundll32.exe

pid	process
2392	f76564a.exe
2972	f766049.exe
3000	f7670fb.exe

pid	process
2356	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2392-12-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-15-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-16-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-19-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-23-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-26-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-30-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-40-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-54-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-56-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-57-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-58-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-59-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-60-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-77-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-78-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-79-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-82-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-84-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-85-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-89-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2392-91-0x0000000000520000-0x00000000015DA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76564a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76564a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76564a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f76564a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

f76564a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76564a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76564a.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f76564a.exe

description	ioc	process
File opened (read-only)	\??\I:	f76564a.exe
File opened (read-only)	\??\J:	f76564a.exe
File opened (read-only)	\??\K:	f76564a.exe
File opened (read-only)	\??\L:	f76564a.exe
File opened (read-only)	\??\E:	f76564a.exe
File opened (read-only)	\??\G:	f76564a.exe
File opened (read-only)	\??\H:	f76564a.exe

Drops file in Windows directory 2 IoCs

Processes:

f76564a.exe

description ioc process

File created C:\Windows\f765792 f76564a.exe
File opened for modification C:\Windows\SYSTEM.INI f76564a.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f76564a.exe

pid process

2392 f76564a.exe

description	ioc	process
File created	C:\Windows\f765792	f76564a.exe
File opened for modification	C:\Windows\SYSTEM.INI	f76564a.exe

pid	process
2392	f76564a.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

f76564a.exe

description	pid	process
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe
Token: SeDebugPrivilege	2392	f76564a.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

rundll32.exerundll32.exef76564a.exe

description	pid	process	target process
PID 1648 wrote to memory of 2356	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2356	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2356	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2356	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2356	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2356	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2356	1648	rundll32.exe	rundll32.exe
PID 2356 wrote to memory of 2392	2356	rundll32.exe	f76564a.exe
PID 2356 wrote to memory of 2392	2356	rundll32.exe	f76564a.exe
PID 2356 wrote to memory of 2392	2356	rundll32.exe	f76564a.exe
PID 2356 wrote to memory of 2392	2356	rundll32.exe	f76564a.exe
PID 2392 wrote to memory of 1128	2392	f76564a.exe	taskhost.exe
PID 2392 wrote to memory of 1176	2392	f76564a.exe	Dwm.exe
PID 2392 wrote to memory of 1204	2392	f76564a.exe	Explorer.EXE
PID 2392 wrote to memory of 2220	2392	f76564a.exe	DllHost.exe
PID 2392 wrote to memory of 1648	2392	f76564a.exe	rundll32.exe
PID 2392 wrote to memory of 2356	2392	f76564a.exe	rundll32.exe
PID 2392 wrote to memory of 2356	2392	f76564a.exe	rundll32.exe
PID 2356 wrote to memory of 2972	2356	rundll32.exe	f766049.exe
PID 2356 wrote to memory of 2972	2356	rundll32.exe	f766049.exe
PID 2356 wrote to memory of 2972	2356	rundll32.exe	f766049.exe
PID 2356 wrote to memory of 2972	2356	rundll32.exe	f766049.exe
PID 2356 wrote to memory of 3000	2356	rundll32.exe	f7670fb.exe
PID 2356 wrote to memory of 3000	2356	rundll32.exe	f7670fb.exe
PID 2356 wrote to memory of 3000	2356	rundll32.exe	f7670fb.exe
PID 2356 wrote to memory of 3000	2356	rundll32.exe	f7670fb.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

f76564a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76564a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76564a.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\880e5a11c5dc597bef079d42bb3d7ee054ee236c213cdb996306f561bae455bc.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\880e5a11c5dc597bef079d42bb3d7ee054ee236c213cdb996306f561bae455bc.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\f76564a.exe
C:\Users\Admin\AppData\Local\Temp\f76564a.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2392

C:\Users\Admin\AppData\Local\Temp\f766049.exe
C:\Users\Admin\AppData\Local\Temp\f766049.exe
4⤵
- Executes dropped EXE
PID:2972

C:\Users\Admin\AppData\Local\Temp\f7670fb.exe
C:\Users\Admin\AppData\Local\Temp\f7670fb.exe
4⤵
- Executes dropped EXE
PID:3000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2220

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f76564a.exe
Filesize
97KB

MD5
5ec91a8e0dbba87def9603f1bfa29ebb

SHA1
aa77f7a1026cd73c845096ec2fe3e83f2e7c9149

SHA256
54cbfb69918ceb312857e4bcc2a63d0fdc8d0d4cb654702a15d052fed766e8e0

SHA512
cc89e922fb43f0aca665a27cc2655dc626fa6d20b6da2e55bc055c7b5ba0a054e6e0f7521f7bf452bad100f92f722ce667630fbedcc225c759ce6220f1aed6b5

Download Submit
memory/1128-17-0x0000000001D20000-0x0000000001D22000-memory.dmp

Filesize
8KB

Download
memory/2356-70-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2356-68-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2356-9-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2356-0-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2356-38-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2356-73-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2356-11-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/2356-74-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2356-10-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/2356-51-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2356-41-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2356-31-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2356-36-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2392-19-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-79-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-26-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-91-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-23-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-40-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-54-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-56-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-57-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-58-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-59-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-60-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-16-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-89-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-15-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-12-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2392-77-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-78-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-30-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-82-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-84-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2392-85-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2972-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2972-105-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3000-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3000-106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads