modiloader | 9eef226fdb7d6c554cd552fc3f597ebfd6d77e33b95db53f7a631a75acf0c270

General

Target

SHEOrder-10524.exe
Size

1.6MB
MD5

439f6db2adb770a0f825879c91da9904
SHA1

6b997f099e01ba06378a58115f65d515a22f5fb1
SHA256

9eef226fdb7d6c554cd552fc3f597ebfd6d77e33b95db53f7a631a75acf0c270
SHA512

d3b5475ec41df26581757656b38ae4c20367bce638226b93c1ae2b890e0818c2cb1740fbf8b8108e244a5d5f48c78c0d0fa7fe382aa9fe321a3d696c6d5a30d3
SSDEEP

24576:NGLyrlj2BH1btTfnxx+KKozJQd/HJNRO/BPTQ+l04pEnlk8U2flxAu:NGup2B+K1mzyPTQh4psG2Z

Score

10^/10

modiloader remcos hcode file collection persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

HCODE FILE

C2

91.223.3.151:4508

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-V052BG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 23 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3376-2-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral2/memory/396-28-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-31-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-33-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-35-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-36-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-38-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-39-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-40-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-41-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-42-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-43-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-44-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-46-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-82-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-90-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-91-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-101-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-102-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-112-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-113-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-123-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/396-124-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4364-61-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/4364-66-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4304-59-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4304-73-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4304-59-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4364-61-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4364-66-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3444-69-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3444-70-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4304-73-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

easinvoker.exelhgtogaW.piflhgtogaW.piflhgtogaW.piflhgtogaW.pif

pid process

3088 easinvoker.exe
396 lhgtogaW.pif
4304 lhgtogaW.pif
4364 lhgtogaW.pif
3444 lhgtogaW.pif
Loads dropped DLL 1 IoCs

Processes:

easinvoker.exe

pid process

3088 easinvoker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3088	easinvoker.exe
396	lhgtogaW.pif
4304	lhgtogaW.pif
4364	lhgtogaW.pif
3444	lhgtogaW.pif

pid	process
3088	easinvoker.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

lhgtogaW.pif

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	lhgtogaW.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SHEOrder-10524.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wagotghl = "C:\\Users\\Public\\Wagotghl.url"	SHEOrder-10524.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

SHEOrder-10524.exelhgtogaW.pif

description	pid	process	target process
PID 3376 set thread context of 396	3376	SHEOrder-10524.exe	lhgtogaW.pif
PID 396 set thread context of 4304	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 set thread context of 4364	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 set thread context of 3444	396	lhgtogaW.pif	lhgtogaW.pif

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

lhgtogaW.piflhgtogaW.pif

pid process

4304 lhgtogaW.pif
4304 lhgtogaW.pif
3444 lhgtogaW.pif
3444 lhgtogaW.pif
4304 lhgtogaW.pif
4304 lhgtogaW.pif
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

lhgtogaW.pif

pid process

396 lhgtogaW.pif
396 lhgtogaW.pif
396 lhgtogaW.pif
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lhgtogaW.pif

description pid process

Token: SeDebugPrivilege 3444 lhgtogaW.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lhgtogaW.pif

pid process

396 lhgtogaW.pif

pid	process
4304	lhgtogaW.pif
4304	lhgtogaW.pif
3444	lhgtogaW.pif
3444	lhgtogaW.pif
4304	lhgtogaW.pif
4304	lhgtogaW.pif

pid	process
396	lhgtogaW.pif
396	lhgtogaW.pif
396	lhgtogaW.pif

description	pid	process
Token: SeDebugPrivilege	3444	lhgtogaW.pif

pid	process
396	lhgtogaW.pif

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

SHEOrder-10524.execmd.exelhgtogaW.pif

description	pid	process	target process
PID 3376 wrote to memory of 1592	3376	SHEOrder-10524.exe	cmd.exe
PID 3376 wrote to memory of 1592	3376	SHEOrder-10524.exe	cmd.exe
PID 3376 wrote to memory of 1592	3376	SHEOrder-10524.exe	cmd.exe
PID 1592 wrote to memory of 3272	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 3272	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 3272	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 4268	1592	cmd.exe	xcopy.exe
PID 1592 wrote to memory of 4268	1592	cmd.exe	xcopy.exe
PID 1592 wrote to memory of 4268	1592	cmd.exe	xcopy.exe
PID 1592 wrote to memory of 2096	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 2096	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 2096	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 2208	1592	cmd.exe	xcopy.exe
PID 1592 wrote to memory of 2208	1592	cmd.exe	xcopy.exe
PID 1592 wrote to memory of 2208	1592	cmd.exe	xcopy.exe
PID 1592 wrote to memory of 4256	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 4256	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 4256	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 3864	1592	cmd.exe	xcopy.exe
PID 1592 wrote to memory of 3864	1592	cmd.exe	xcopy.exe
PID 1592 wrote to memory of 3864	1592	cmd.exe	xcopy.exe
PID 1592 wrote to memory of 3088	1592	cmd.exe	easinvoker.exe
PID 1592 wrote to memory of 3088	1592	cmd.exe	easinvoker.exe
PID 3376 wrote to memory of 764	3376	SHEOrder-10524.exe	extrac32.exe
PID 3376 wrote to memory of 764	3376	SHEOrder-10524.exe	extrac32.exe
PID 3376 wrote to memory of 764	3376	SHEOrder-10524.exe	extrac32.exe
PID 3376 wrote to memory of 396	3376	SHEOrder-10524.exe	lhgtogaW.pif
PID 3376 wrote to memory of 396	3376	SHEOrder-10524.exe	lhgtogaW.pif
PID 3376 wrote to memory of 396	3376	SHEOrder-10524.exe	lhgtogaW.pif
PID 3376 wrote to memory of 396	3376	SHEOrder-10524.exe	lhgtogaW.pif
PID 3376 wrote to memory of 396	3376	SHEOrder-10524.exe	lhgtogaW.pif
PID 396 wrote to memory of 4304	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 wrote to memory of 4304	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 wrote to memory of 4304	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 wrote to memory of 4364	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 wrote to memory of 4364	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 wrote to memory of 4364	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 wrote to memory of 3444	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 wrote to memory of 3444	396	lhgtogaW.pif	lhgtogaW.pif
PID 396 wrote to memory of 3444	396	lhgtogaW.pif	lhgtogaW.pif

C:\Users\Admin\AppData\Local\Temp\SHEOrder-10524.exe
"C:\Users\Admin\AppData\Local\Temp\SHEOrder-10524.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\WagotghlO.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
3⤵
PID:3272

C:\Windows\SysWOW64\xcopy.exe
xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
3⤵
- Enumerates system info in registry
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
3⤵
PID:2096

C:\Windows\SysWOW64\xcopy.exe
xcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y
3⤵
- Enumerates system info in registry
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
3⤵
PID:4256

C:\Windows\SysWOW64\xcopy.exe
xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
3⤵
- Enumerates system info in registry
PID:3864

C:\Windows \System32\easinvoker.exe
"C:\Windows \System32\easinvoker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3088

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\SHEOrder-10524.exe C:\\Users\\Public\\Libraries\\Wagotghl.PIF
2⤵
PID:764

C:\Users\Public\Libraries\lhgtogaW.pif
C:\Users\Public\Libraries\lhgtogaW.pif
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Public\Libraries\lhgtogaW.pif
C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\Admin\AppData\Local\Temp\qfpt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Users\Public\Libraries\lhgtogaW.pif
C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\Admin\AppData\Local\Temp\azudcdq"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:4364

C:\Users\Public\Libraries\lhgtogaW.pif
C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\Admin\AppData\Local\Temp\lbawcvblyal"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
8946d4d74d6b7c0995d392a639bdd5d7

SHA1
20581932bd9295e72ea34235af069dfc8de4ec51

SHA256
8aa60ed198f2a56bc2177620ec4641330fa1ff1a6f54ef3a8bb222e55a347177

SHA512
c7dfcb5c2bd94dbef0755e8bef109764284ae98fd89ba7aed5a23a0f1334fc35bf1ac164c4ba76df2d5dcb9ca366e40f7628a9afa7419b4bac6a571bdf77d2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfpt
Filesize
4KB

MD5
f97c396687d09448bccf0c3c470beb25

SHA1
fb14d5b945f3ca0d304750530ae583860940aaeb

SHA256
1e8fe5b750c0b577cfe7732e87fe963547deea8ac3ca24410e32a9066ebd7f5b

SHA512
57b9d7d9d6593df68e84e01a6974b88a382284626397b4cbb0d08257d29d6715347024e0968b052e97d45233f90d608cfb448285064efa62e9fcd3bb583d1e0c

Download Submit
C:\Users\Public\Libraries\WagotghlO.bat
Filesize
29KB

MD5
828ffbf60677999579dafe4bf3919c63

SHA1
a0d159a1b9a49e9eaccc53fe0c3266c0526a1bdc

SHA256
abac4a967800f5da708572ec42441ec373cd52459a83a8a382d6b8579482789d

SHA512
bf00909e24c5a6fb2346e8457a9adacd5f1b35988d90abbde9ff26896bbb59edafea60d9db4d10182a7b5e129bb69585d3e20bc5c63af3517b3a7ef1e45ffb7e

Download Submit
C:\Users\Public\Libraries\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\lhgtogaW.pif
Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Libraries\netutils.dll
Filesize
112KB

MD5
6baaea4d3a65281b55173738795eb02c

SHA1
1fbe7ec7f5e2d1fb0ab1807e149eee66a86f9224

SHA256
0007fa57da2e1de2e487492d00b99abaeca7e9f9cac8a10e24eb569e19f76ee1

SHA512
af0285cf961aeae960ede41f195809e9b84ccb262f17f2e994da5c599ebdf712788e5a3f2e0e2ed16e67aa888bdabfd7a6096ad8dda2d062d2f82b010e81d5c5

Download Submit
memory/396-91-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-90-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-124-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-33-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-36-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-39-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-123-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-113-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-112-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-102-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-101-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-79-0x000000003F250000-0x000000003F269000-memory.dmp

Filesize
100KB

Download
memory/396-83-0x000000003F250000-0x000000003F269000-memory.dmp

Filesize
100KB

Download
memory/396-81-0x000000003F250000-0x000000003F269000-memory.dmp

Filesize
100KB

Download
memory/396-82-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/396-76-0x000000003F250000-0x000000003F269000-memory.dmp

Filesize
100KB

Download
memory/396-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-80-0x000000003F250000-0x000000003F269000-memory.dmp

Filesize
100KB

Download
memory/3088-21-0x00000000613C0000-0x00000000613E3000-memory.dmp

Filesize
140KB

Download
memory/3376-2-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/3376-0-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/3376-4-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3376-1-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/3444-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3444-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3444-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3444-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4304-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4304-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4304-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4304-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4364-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4364-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4364-50-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4364-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads