modiloader | 90653158d2956b7a08a653a03fcadb97b5d8efabdab5d044dc688fa3ab470ab5

General

Target

25.exe
Size

769KB
MD5

9e9770e3e6841fb84f3a6a09319e00d5
SHA1

6cd473a89a6318aa8bc06fca2b309ec090c2196e
SHA256

90653158d2956b7a08a653a03fcadb97b5d8efabdab5d044dc688fa3ab470ab5
SHA512

87f273bf336d9342195f339908b544a503b8929cb513a8dc8a519a2ffd3b2d42120065f4a2603ec0f27bf4760fea7a922c2102c83a9b7fd0506116358889cc35

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

C2

91.207.57.115:5079

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ModiLoader Second Stage 38 IoCs

Processes:

resource	yara_rule
behavioral1/memory/896-65-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-66-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-67-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-68-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-69-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-70-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-71-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-72-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-73-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-74-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-75-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-76-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-77-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-78-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-79-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-80-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-81-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-82-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-83-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-84-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-85-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-86-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-87-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-88-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-89-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-90-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-106-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-109-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-111-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-112-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-113-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-120-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-121-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-122-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-124-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-125-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-126-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2
behavioral1/memory/896-127-0x0000000004860000-0x00000000048AA000-memory.dmp	modiloader_stage2

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/292-108-0x0000000010670000-0x00000000107C6000-memory.dmp	warzonerat
behavioral1/memory/292-110-0x00000000009A0000-0x0000000000AF4000-memory.dmp	warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

25.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kljwgyi = "C:\\Users\\Public\\Libraries\\iygwjlK.url"	25.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

25.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BDFDCAA3D53E97D1940ED9FD6F8AD5D00EACD83	25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BDFDCAA3D53E97D1940ED9FD6F8AD5D00EACD83\Blob = 0f0000000100000020000000a7028b93aeeb88736b4c31672adc13d76a07f13eec230e098b6d988560458c4f0300000001000000140000008bdfdcaa3d53e97d1940ed9fd6f8ad5d00eacd832000000001000000f9020000308202f5308201dda0030201020210073421b2bd315caa4aa75fb9f86f400d300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393130303030305a170d3237303432383130303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a70999e270175984af774b12da719c9536b539022abf420b6223456c88b1adf2615b9ccc196383a3181f68f9657ab40f13405b6a06fe4dfe3d0352dac1f0f138eb03a8d60aefe7e2b2e77b38f6ad2a64f8ee807c34861b4d12e65612055d60ca41908207c127d62178d4bbdd34430f7f0b647c2c333b77ac8e1689be17852331c1bd3e836dd656231ab112fa67501f1ffe3bbd1adc17325e442d22247be092fe51c0e32daa34653184e7d254f25358d104a4c7b15ff931d46bd7a7e800f91cf3aa89922fa7d98c6e93e76ad2391892a21afb32cacbd3aa26e205f8bce123f076517668596b833fd64ac38a63b40234d9ce4bb3bb08cb4aa295bc6966cd3613f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414cd7c6be15b815b8e3c4409e537c311309c7b322d300d06092a864886f70d01010b0500038201010087d2408a5a0d7a02136b84fd81d791a9d83485919135ac495d42dd38520577bb2592f492818192397db4ee723912d824c514887c3d7ae34c9b33cf3393db9b0549d2a8d84c2aed04a9731fd7670f2ea7ade92453231eac4b4a3e05256a800e933d70665c640a70718ce770e892cc0d0401d5039c6426d7fc3c9b456641d2e93f662b413197d063309915a6dd832aea728c2c149a3e40273cd7d985fd54caebee833c1e405ca8b1f3fd0bac7f8196022f308b8c8f3ac06d86f65ee3638862d8c793b31fce9435dbd9c630ef7928b093e414ed6c9925f989b076059f55e12a6cd6bfa5644c33d79cac98665b826cef1d719908fbeff276e6c7ff6e1c50b7215c84	25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BDFDCAA3D53E97D1940ED9FD6F8AD5D00EACD83\Blob = 140000000100000014000000cd7c6be15b815b8e3c4409e537c311309c7b322d0300000001000000140000008bdfdcaa3d53e97d1940ed9fd6f8ad5d00eacd830f0000000100000020000000a7028b93aeeb88736b4c31672adc13d76a07f13eec230e098b6d988560458c4f2000000001000000f9020000308202f5308201dda0030201020210073421b2bd315caa4aa75fb9f86f400d300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393130303030305a170d3237303432383130303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a70999e270175984af774b12da719c9536b539022abf420b6223456c88b1adf2615b9ccc196383a3181f68f9657ab40f13405b6a06fe4dfe3d0352dac1f0f138eb03a8d60aefe7e2b2e77b38f6ad2a64f8ee807c34861b4d12e65612055d60ca41908207c127d62178d4bbdd34430f7f0b647c2c333b77ac8e1689be17852331c1bd3e836dd656231ab112fa67501f1ffe3bbd1adc17325e442d22247be092fe51c0e32daa34653184e7d254f25358d104a4c7b15ff931d46bd7a7e800f91cf3aa89922fa7d98c6e93e76ad2391892a21afb32cacbd3aa26e205f8bce123f076517668596b833fd64ac38a63b40234d9ce4bb3bb08cb4aa295bc6966cd3613f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414cd7c6be15b815b8e3c4409e537c311309c7b322d300d06092a864886f70d01010b0500038201010087d2408a5a0d7a02136b84fd81d791a9d83485919135ac495d42dd38520577bb2592f492818192397db4ee723912d824c514887c3d7ae34c9b33cf3393db9b0549d2a8d84c2aed04a9731fd7670f2ea7ade92453231eac4b4a3e05256a800e933d70665c640a70718ce770e892cc0d0401d5039c6426d7fc3c9b456641d2e93f662b413197d063309915a6dd832aea728c2c149a3e40273cd7d985fd54caebee833c1e405ca8b1f3fd0bac7f8196022f308b8c8f3ac06d86f65ee3638862d8c793b31fce9435dbd9c630ef7928b093e414ed6c9925f989b076059f55e12a6cd6bfa5644c33d79cac98665b826cef1d719908fbeff276e6c7ff6e1c50b7215c84	25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BDFDCAA3D53E97D1940ED9FD6F8AD5D00EACD83\Blob = 190000000100000010000000a8355bdb761b1b8acb37320dbda0c5b10f0000000100000020000000a7028b93aeeb88736b4c31672adc13d76a07f13eec230e098b6d988560458c4f0300000001000000140000008bdfdcaa3d53e97d1940ed9fd6f8ad5d00eacd83140000000100000014000000cd7c6be15b815b8e3c4409e537c311309c7b322d2000000001000000f9020000308202f5308201dda0030201020210073421b2bd315caa4aa75fb9f86f400d300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393130303030305a170d3237303432383130303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a70999e270175984af774b12da719c9536b539022abf420b6223456c88b1adf2615b9ccc196383a3181f68f9657ab40f13405b6a06fe4dfe3d0352dac1f0f138eb03a8d60aefe7e2b2e77b38f6ad2a64f8ee807c34861b4d12e65612055d60ca41908207c127d62178d4bbdd34430f7f0b647c2c333b77ac8e1689be17852331c1bd3e836dd656231ab112fa67501f1ffe3bbd1adc17325e442d22247be092fe51c0e32daa34653184e7d254f25358d104a4c7b15ff931d46bd7a7e800f91cf3aa89922fa7d98c6e93e76ad2391892a21afb32cacbd3aa26e205f8bce123f076517668596b833fd64ac38a63b40234d9ce4bb3bb08cb4aa295bc6966cd3613f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414cd7c6be15b815b8e3c4409e537c311309c7b322d300d06092a864886f70d01010b0500038201010087d2408a5a0d7a02136b84fd81d791a9d83485919135ac495d42dd38520577bb2592f492818192397db4ee723912d824c514887c3d7ae34c9b33cf3393db9b0549d2a8d84c2aed04a9731fd7670f2ea7ade92453231eac4b4a3e05256a800e933d70665c640a70718ce770e892cc0d0401d5039c6426d7fc3c9b456641d2e93f662b413197d063309915a6dd832aea728c2c149a3e40273cd7d985fd54caebee833c1e405ca8b1f3fd0bac7f8196022f308b8c8f3ac06d86f65ee3638862d8c793b31fce9435dbd9c630ef7928b093e414ed6c9925f989b076059f55e12a6cd6bfa5644c33d79cac98665b826cef1d719908fbeff276e6c7ff6e1c50b7215c84	25.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1360 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1360 powershell.exe

pid	process
1360	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1360	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

25.execmd.execmd.exenet.exe

description	pid	process	target process
PID 896 wrote to memory of 1776	896	25.exe	cmd.exe
PID 896 wrote to memory of 1776	896	25.exe	cmd.exe
PID 896 wrote to memory of 1776	896	25.exe	cmd.exe
PID 896 wrote to memory of 1776	896	25.exe	cmd.exe
PID 1776 wrote to memory of 1312	1776	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1312	1776	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1312	1776	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1312	1776	cmd.exe	cmd.exe
PID 1312 wrote to memory of 1512	1312	cmd.exe	net.exe
PID 1312 wrote to memory of 1512	1312	cmd.exe	net.exe
PID 1312 wrote to memory of 1512	1312	cmd.exe	net.exe
PID 1312 wrote to memory of 1512	1312	cmd.exe	net.exe
PID 1512 wrote to memory of 2016	1512	net.exe	net1.exe
PID 1512 wrote to memory of 2016	1512	net.exe	net1.exe
PID 1512 wrote to memory of 2016	1512	net.exe	net1.exe
PID 1512 wrote to memory of 2016	1512	net.exe	net1.exe
PID 1312 wrote to memory of 1360	1312	cmd.exe	powershell.exe
PID 1312 wrote to memory of 1360	1312	cmd.exe	powershell.exe
PID 1312 wrote to memory of 1360	1312	cmd.exe	powershell.exe
PID 1312 wrote to memory of 1360	1312	cmd.exe	powershell.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe
PID 896 wrote to memory of 292	896	25.exe	logagent.exe

C:\Users\Admin\AppData\Local\Temp\25.exe
"C:\Users\Admin\AppData\Local\Temp\25.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\Kljwgyit.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\KljwgyiO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
2⤵
PID:292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\KljwgyiO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Kljwgyit.bat
Filesize
56B

MD5
83883f168c4b1a3b73708bb17150bcb7

SHA1
639f61ce1efb1609213ac36b6f12c8d9cf745716

SHA256
e1785d8847cbf32dbf9dae937e460527aa6f6cbff16d367e4599dfbcd95464cd

SHA512
55109fac8ab70d349ad1bba4399d7c02d5a399899009962fc40136e38abccc2498109584afe460f6acbc70e5b3f113c578db21853a90c20579d375d8eb6ecef1

Download Submit
memory/292-110-0x00000000009A0000-0x0000000000AF4000-memory.dmp

Filesize
1.3MB

Download
memory/292-108-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/292-104-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/292-102-0x0000000000000000-mapping.dmp

Download
memory/896-77-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-70-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-73-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-74-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-75-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-76-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/896-78-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-79-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-80-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-81-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-82-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-83-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-84-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-85-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-86-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-87-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-88-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-89-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-90-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-127-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-71-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-126-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-72-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-125-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-124-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-69-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-122-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-121-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-68-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-103-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/896-67-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-106-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-66-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-109-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-65-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-111-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-112-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-113-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/896-120-0x0000000004860000-0x00000000048AA000-memory.dmp

Filesize
296KB

Download
memory/1312-93-0x0000000000000000-mapping.dmp

Download
memory/1360-100-0x0000000072ED0000-0x000000007347B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-98-0x0000000000000000-mapping.dmp

Download
memory/1512-95-0x0000000000000000-mapping.dmp

Download
memory/1776-91-0x0000000000000000-mapping.dmp

Download
memory/2016-96-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads