modiloader | 6522d87fff659d4824fc0af008bc7d91d2ecccc2ad4e938e931084a25d989fba

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00c0cd053435714d7b57b052d668e13f.exe
Size

667KB
MD5

00c0cd053435714d7b57b052d668e13f
SHA1

da5381f70f07e0d3357d927668997bf8ab58ba89
SHA256

6522d87fff659d4824fc0af008bc7d91d2ecccc2ad4e938e931084a25d989fba
SHA512

e67d07bd2d515a006d186234266a68a1d3cd881dda8536d274fac97939e6185419a0f20d1c105a7696debf8e2680054010be02cfec5533f8939f21657fe62b33
SSDEEP

12288:WbMqmAEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WImEEb4Ev/ATEXKGVnGTzpA1Ec1A

Score

10^/10

modiloader evasion persistence spyware stealer trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	bohost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	DV245F.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ciatiow.exe

ModiLoader Second Stage 14 IoCs

resource	yara_rule
behavioral1/memory/2320-10-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/3028-13-0x0000000000400000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/3028-15-0x0000000000400000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/3028-14-0x0000000000400000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/files/0x0009000000016176-44.dat	modiloader_stage2
behavioral1/files/0x0009000000016176-46.dat	modiloader_stage2
behavioral1/files/0x0009000000016176-49.dat	modiloader_stage2
behavioral1/files/0x0009000000016176-51.dat	modiloader_stage2
behavioral1/memory/2540-64-0x0000000000400000-0x000000000041E000-memory.dmp	modiloader_stage2
behavioral1/memory/2844-81-0x0000000000290000-0x0000000000390000-memory.dmp	modiloader_stage2
behavioral1/memory/3028-93-0x0000000000400000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-216-0x00000000004D0000-0x00000000005D0000-memory.dmp	modiloader_stage2
behavioral1/memory/3028-219-0x0000000000400000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-283-0x00000000004D0000-0x00000000005D0000-memory.dmp	modiloader_stage2

Disables taskbar notifications via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
884	cmd.exe

Executes dropped EXE 8 IoCs

pid	Process
2204	DV245F.exe
2608	ciatiow.exe
2540	aohost.exe
2424	aohost.exe
2844	bohost.exe
952	dohost.exe
412	bohost.exe
2640	bohost.exe

Loads dropped DLL 10 IoCs

pid	Process
3028	00c0cd053435714d7b57b052d668e13f.exe
3028	00c0cd053435714d7b57b052d668e13f.exe
2204	DV245F.exe
2204	DV245F.exe
3028	00c0cd053435714d7b57b052d668e13f.exe
3028	00c0cd053435714d7b57b052d668e13f.exe
3028	00c0cd053435714d7b57b052d668e13f.exe
3028	00c0cd053435714d7b57b052d668e13f.exe
3028	00c0cd053435714d7b57b052d668e13f.exe
3028	00c0cd053435714d7b57b052d668e13f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-2-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/3028-4-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/3028-6-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/3028-12-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/3028-13-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/3028-15-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/3028-14-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2424-54-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2424-56-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2424-59-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2424-67-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2424-68-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2424-70-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2844-79-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/3028-93-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2424-94-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/412-108-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2844-110-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2844-213-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2640-215-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/3028-219-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2844-290-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /J"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /v"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /b"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /A"	DV245F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /U"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /Y"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /X"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /t"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /z"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /u"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /k"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /i"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /T"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /q"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /m"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /n"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /C"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /x"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /f"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /Q"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /D"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /F"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /I"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /O"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /w"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /j"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /N"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /h"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /L"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /W"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /S"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /A"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /M"	ciatiow.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\82B.exe = "C:\\Program Files (x86)\\LP\\DF67\\82B.exe"	bohost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /g"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /H"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /o"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /Z"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /c"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /P"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /y"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /R"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /B"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /r"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /V"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /K"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /G"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /a"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /e"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /l"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /E"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /p"	ciatiow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciatiow = "C:\\Users\\Admin\\ciatiow.exe /d"	ciatiow.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	aohost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	aohost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 3028	2320	00c0cd053435714d7b57b052d668e13f.exe	28
PID 2540 set thread context of 2424	2540	aohost.exe	36

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\DF67\82B.exe	bohost.exe
File created	C:\Program Files (x86)\LP\DF67\82B.exe	bohost.exe
File opened for modification	C:\Program Files (x86)\LP\DF67\B319.tmp	bohost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2412	tasklist.exe
872	tasklist.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	DV245F.exe
2204	DV245F.exe
2608	ciatiow.exe
2608	ciatiow.exe
2424	aohost.exe
2608	ciatiow.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2608	ciatiow.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe
2844	bohost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2040	explorer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeSecurityPrivilege	2268	msiexec.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeDebugPrivilege	872	tasklist.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3028	00c0cd053435714d7b57b052d668e13f.exe
2204	DV245F.exe
2608	ciatiow.exe
952	dohost.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3028	2320	00c0cd053435714d7b57b052d668e13f.exe	28
PID 2320 wrote to memory of 3028	2320	00c0cd053435714d7b57b052d668e13f.exe	28
PID 2320 wrote to memory of 3028	2320	00c0cd053435714d7b57b052d668e13f.exe	28
PID 2320 wrote to memory of 3028	2320	00c0cd053435714d7b57b052d668e13f.exe	28
PID 2320 wrote to memory of 3028	2320	00c0cd053435714d7b57b052d668e13f.exe	28
PID 2320 wrote to memory of 3028	2320	00c0cd053435714d7b57b052d668e13f.exe	28
PID 2320 wrote to memory of 3028	2320	00c0cd053435714d7b57b052d668e13f.exe	28
PID 2320 wrote to memory of 3028	2320	00c0cd053435714d7b57b052d668e13f.exe	28
PID 3028 wrote to memory of 2204	3028	00c0cd053435714d7b57b052d668e13f.exe	29
PID 3028 wrote to memory of 2204	3028	00c0cd053435714d7b57b052d668e13f.exe	29
PID 3028 wrote to memory of 2204	3028	00c0cd053435714d7b57b052d668e13f.exe	29
PID 3028 wrote to memory of 2204	3028	00c0cd053435714d7b57b052d668e13f.exe	29
PID 2204 wrote to memory of 2608	2204	DV245F.exe	30
PID 2204 wrote to memory of 2608	2204	DV245F.exe	30
PID 2204 wrote to memory of 2608	2204	DV245F.exe	30
PID 2204 wrote to memory of 2608	2204	DV245F.exe	30
PID 2204 wrote to memory of 2632	2204	DV245F.exe	31
PID 2204 wrote to memory of 2632	2204	DV245F.exe	31
PID 2204 wrote to memory of 2632	2204	DV245F.exe	31
PID 2204 wrote to memory of 2632	2204	DV245F.exe	31
PID 2632 wrote to memory of 2412	2632	cmd.exe	33
PID 2632 wrote to memory of 2412	2632	cmd.exe	33
PID 2632 wrote to memory of 2412	2632	cmd.exe	33
PID 2632 wrote to memory of 2412	2632	cmd.exe	33
PID 3028 wrote to memory of 2540	3028	00c0cd053435714d7b57b052d668e13f.exe	35
PID 3028 wrote to memory of 2540	3028	00c0cd053435714d7b57b052d668e13f.exe	35
PID 3028 wrote to memory of 2540	3028	00c0cd053435714d7b57b052d668e13f.exe	35
PID 3028 wrote to memory of 2540	3028	00c0cd053435714d7b57b052d668e13f.exe	35
PID 2540 wrote to memory of 2424	2540	aohost.exe	36
PID 2540 wrote to memory of 2424	2540	aohost.exe	36
PID 2540 wrote to memory of 2424	2540	aohost.exe	36
PID 2540 wrote to memory of 2424	2540	aohost.exe	36
PID 2540 wrote to memory of 2424	2540	aohost.exe	36
PID 2540 wrote to memory of 2424	2540	aohost.exe	36
PID 2540 wrote to memory of 2424	2540	aohost.exe	36
PID 2540 wrote to memory of 2424	2540	aohost.exe	36
PID 3028 wrote to memory of 2844	3028	00c0cd053435714d7b57b052d668e13f.exe	37
PID 3028 wrote to memory of 2844	3028	00c0cd053435714d7b57b052d668e13f.exe	37
PID 3028 wrote to memory of 2844	3028	00c0cd053435714d7b57b052d668e13f.exe	37
PID 3028 wrote to memory of 2844	3028	00c0cd053435714d7b57b052d668e13f.exe	37
PID 3028 wrote to memory of 952	3028	00c0cd053435714d7b57b052d668e13f.exe	39
PID 3028 wrote to memory of 952	3028	00c0cd053435714d7b57b052d668e13f.exe	39
PID 3028 wrote to memory of 952	3028	00c0cd053435714d7b57b052d668e13f.exe	39
PID 3028 wrote to memory of 952	3028	00c0cd053435714d7b57b052d668e13f.exe	39
PID 2844 wrote to memory of 412	2844	bohost.exe	41
PID 2844 wrote to memory of 412	2844	bohost.exe	41
PID 2844 wrote to memory of 412	2844	bohost.exe	41
PID 2844 wrote to memory of 412	2844	bohost.exe	41
PID 2844 wrote to memory of 2640	2844	bohost.exe	44
PID 2844 wrote to memory of 2640	2844	bohost.exe	44
PID 2844 wrote to memory of 2640	2844	bohost.exe	44
PID 2844 wrote to memory of 2640	2844	bohost.exe	44
PID 3028 wrote to memory of 884	3028	00c0cd053435714d7b57b052d668e13f.exe	46
PID 3028 wrote to memory of 884	3028	00c0cd053435714d7b57b052d668e13f.exe	46
PID 3028 wrote to memory of 884	3028	00c0cd053435714d7b57b052d668e13f.exe	46
PID 3028 wrote to memory of 884	3028	00c0cd053435714d7b57b052d668e13f.exe	46
PID 884 wrote to memory of 872	884	cmd.exe	48
PID 884 wrote to memory of 872	884	cmd.exe	48
PID 884 wrote to memory of 872	884	cmd.exe	48
PID 884 wrote to memory of 872	884	cmd.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	bohost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bohost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\00c0cd053435714d7b57b052d668e13f.exe
"C:\Users\Admin\AppData\Local\Temp\00c0cd053435714d7b57b052d668e13f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\00c0cd053435714d7b57b052d668e13f.exe
  00c0cd053435714d7b57b052d668e13f.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\DV245F.exe
    C:\Users\Admin\DV245F.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Users\Admin\ciatiow.exe
      "C:\Users\Admin\ciatiow.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
- - C:\Users\Admin\aohost.exe
    C:\Users\Admin\aohost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\aohost.exe
      aohost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:2424
- - C:\Users\Admin\bohost.exe
    C:\Users\Admin\bohost.exe
    3⤵
    - Modifies security service
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2844
  - - C:\Users\Admin\bohost.exe
      C:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\7981D\E80DF.exe%C:\Users\Admin\AppData\Roaming\7981D
      4⤵
      Executes dropped EXE
      PID:412
  - - C:\Users\Admin\bohost.exe
      C:\Users\Admin\bohost.exe startC:\Program Files (x86)\1D26E\lvvm.exe%C:\Program Files (x86)\1D26E
      4⤵
      Executes dropped EXE
      PID:2640
- - C:\Users\Admin\dohost.exe
    C:\Users\Admin\dohost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 00c0cd053435714d7b57b052d668e13f.exe
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7981D\D26E.981

Filesize
600B

MD5
efc36b8eb0285b25783a63c6807a133d

SHA1
d1971659016077267f28e6a13a7a1ad4b530a7b8

SHA256
d43d4a7e4c3df8855f2b76e90fce6721b905b588392d47f81c5e22d648b20657

SHA512
31cb5d4cad4e7628da2688094d4647d150e88c6e4246b70bda0d0b7549472e36ef0962ccef022a47127931726fff18a1067b4a445622ca15d322e5892f71ee1e

Download Submit
C:\Users\Admin\AppData\Roaming\7981D\D26E.981

Filesize
897B

MD5
f9832185e8c46a1caf2639359291639a

SHA1
76a0a3700b566c948b5049ee29a73817da2a6db1

SHA256
f389d59985a4166682157754fec809a6aa06ed43dbbf49e077175a409542c751

SHA512
2deee2fc94e4186002c2b770370c920fcdcb0fe413f1c018b6e3d9460ccf0532086f07681acef49d144eced6a809fc3a3ec2b71fc50c384ca79a7689880c39cf

Download Submit
C:\Users\Admin\AppData\Roaming\7981D\D26E.981

Filesize
1KB

MD5
85c0e06e40052ea79b55c7f54469fe37

SHA1
0369363738dd74cc8ccdfd4ae53081ff26ea1b07

SHA256
def860b76705e5a5536f7c220ef4308b48f4e9090693bdfb66381e546d4c0b50

SHA512
5dd3bed68649009b2a7cabe9c297873b725d0cfe8d71a447e39f564b38b8a39824adc017abb474db4a13f3f7eb0405b702ca4b751fa8ddfda5e2cb0196515a03

Download Submit
C:\Users\Admin\aohost.exe

Filesize
27KB

MD5
94f67095ce061b938dcb64d1847ec208

SHA1
2b607869f682da98d53b4803d20eb1d3c798ef17

SHA256
6d9e7f85f69b6fa2b4ec7fd355bcf069899978eb3812e680d37de968b80011c9

SHA512
4db768325dfca7984962a884b1eb8e53baa9e779de00345c1137bb1af557a641245bb14001f78264630bf4ca833e6e438028b762f856c73f7f6c6728e5692bdb

Download Submit
C:\Users\Admin\aohost.exe

Filesize
152KB

MD5
4401958b004eb197d4f0c0aaccee9a18

SHA1
50e600f7c5c918145c5a270b472b114faa72a971

SHA256
4c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b

SHA512
f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6

Download Submit
C:\Users\Admin\bohost.exe

Filesize
173KB

MD5
0578a41258df62b7b4320ceaafedde53

SHA1
50e7c0b00f8f1e5355423893f10ae8ee844d70f4

SHA256
18941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf

SHA512
5870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09

Download Submit
C:\Users\Admin\dohost.exe

Filesize
24KB

MD5
d7390e209a42ea46d9cbfc5177b8324e

SHA1
eff57330de49be19d2514dd08e614afc97b061d2

SHA256
d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5

SHA512
de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d

Download Submit
\Users\Admin\DV245F.exe

Filesize
216KB

MD5
00b1af88e176b5fdb1b82a38cfdce35b

SHA1
c0f77262df92698911e0ac2f7774e93fc6b06280

SHA256
50f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59

SHA512
9e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f

Download Submit
\Users\Admin\aohost.exe

Filesize
128KB

MD5
fd85d1a8657abcee7143febbd2f2d574

SHA1
fb10694850f2f0bfc9c7104561ba8898e639ab6b

SHA256
cf9fce3c8dcd7238c93f2c84346fb16f7e3650bb18a65919c345d4556a30aa59

SHA512
c1c2768f8df803006365cc10269057a11f22d93de9b31ac61e36f1c406081d7fb2cdd8945e55cfe8490ac68859baecc45b678e2241a83a11fec882e637a89df0

Download Submit
\Users\Admin\aohost.exe

Filesize
8KB

MD5
fb6bd43c7f7717f711a582fecece29b9

SHA1
ffa6c434eaf4e25e5b886ec5711748cca4b34e30

SHA256
8db254af692a7c4e61f6248791ac6ead81f10914d83db4b6c65bea32a015dd44

SHA512
b639066e74f4265b53823cefe2abc1bc1ab54bb222f1b25445aee82405d8009bda7c31784588558db8c0280ef998b3d342ae91e258d3733cabd1fee68817954b

Download Submit
\Users\Admin\ciatiow.exe

Filesize
216KB

MD5
fb6ace4495426a2e66677f2f63840dbb

SHA1
1b856d5d0ec9406f57535f3a98f82d56f8044959

SHA256
36ca8237c667dc04b6398c1271dd1e02d6ac0913c1b4ef979a6255ab88edc709

SHA512
f16ea5d8ef6afaa97f4e7da4c933d6cf39f659e123b3e08734c08f1c9deec69e39a59ded3b7e49bebbe630729169883b5e51915c5d5c005bfabdf9087b3697f6

Download Submit
memory/412-108-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2040-287-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2040-221-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2320-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2424-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2424-52-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2424-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2424-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2424-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2424-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2424-68-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2424-94-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2540-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2640-216-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-215-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2640-283-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2844-213-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2844-81-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2844-290-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2844-79-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2844-110-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2844-112-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/3028-6-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-4-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-0-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-93-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-12-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-218-0x0000000002BD0000-0x000000000368A000-memory.dmp

Filesize
10.7MB

Download
memory/3028-219-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-13-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-2-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-15-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-14-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3028-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download