Malware Analysis Report

2024-10-19 07:04

Sample ID 240508-q7kehsfg6s
Target cdf5fd113dde40d22ae10c54022558e0_NEIKI
SHA256 bb7b31ac0a920d74271e910ff619ad0d04867be4e1ff6b4643c0bb8513be3f7b
Tags
modiloader persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb7b31ac0a920d74271e910ff619ad0d04867be4e1ff6b4643c0bb8513be3f7b

Threat Level: Known bad

The file cdf5fd113dde40d22ae10c54022558e0_NEIKI was found to be: Known bad.

Malicious Activity Summary

modiloader persistence trojan upx

ModiLoader, DBatLoader

ModiLoader Second Stage

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 13:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 13:54

Reported

2024-05-08 13:56

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2828 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2828 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2828 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2828 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2828 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2828 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2828 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2232 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4716 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4716 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2232 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 2232 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 2232 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3988 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe"

C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WDEBK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp

Files

memory/2828-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2828-1-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2828-4-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2828-5-0x0000000002300000-0x0000000002302000-memory.dmp

memory/2828-6-0x0000000002330000-0x0000000002332000-memory.dmp

memory/2232-7-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2232-9-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2232-11-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2828-14-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WDEBK.txt

MD5 4eb61ec7816c34ec8c125acadc57ec1b
SHA1 b0015cc865c0bb1a027be663027d3829401a31cc
SHA256 08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512 f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

memory/2232-21-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

MD5 807995eab5fa7467e7a65da6a48d3509
SHA1 23a7c07f4b6e2ac879eb4104e73257e1556f9cb9
SHA256 7764d2cee5b749537e727afd2cdb00bba87e0e97b37e8c8969fa867fd6e40645
SHA512 b9bb02bec2f0a929fd33d612b2d6c7515a6aa384036c37dab8ee46832e8cee378ef630d856635666bd75667f0cdcdedd77a333cabc07908d8118dc9b2183eb4f

memory/3988-38-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2232-37-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2232-42-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3988-43-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3988-44-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4980-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3988-53-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4980-57-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4980-59-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4980-58-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4980-60-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2232-61-0x0000000000410000-0x00000000004D9000-memory.dmp

memory/2232-63-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4812-64-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4980-65-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 13:54

Reported

2024-05-08 13:56

Platform

win7-20240419-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe
PID 2656 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1936 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1936 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1936 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 2656 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 2656 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 2656 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1940 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe"

C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\cdf5fd113dde40d22ae10c54022558e0_NEIKI.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PTFDH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 billabong4102.no-ip.biz udp

Files

memory/2068-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2068-3-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2068-5-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2068-15-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2068-39-0x0000000000470000-0x0000000000471000-memory.dmp

memory/2068-27-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2068-77-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/2068-69-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/2068-59-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/2068-88-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2068-87-0x0000000000404000-0x0000000000405000-memory.dmp

memory/2656-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2656-104-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2656-103-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2068-102-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2656-101-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2656-98-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2068-95-0x00000000027D0000-0x0000000002823000-memory.dmp

memory/2656-93-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2656-89-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2656-91-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PTFDH.bat

MD5 4eb61ec7816c34ec8c125acadc57ec1b
SHA1 b0015cc865c0bb1a027be663027d3829401a31cc
SHA256 08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512 f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

MD5 5412663ddd1b59b1f728e50478a46c0b
SHA1 e7d28a0300b2e3d4875846b5a971a31ea05a374c
SHA256 a7e8ecdf4b395bf69ca1220c3fa35686e8ae8aeb04924bb0ceba557d17e83503
SHA512 d250a2b78a0cca7b788af3aa14749bdac3d6d7b7a5b244785f4c33f8ef5f531d18c4cbcf18028cbc734fb9f4812121fe00135e109b62b3d73023e7cfc4d24fa7

memory/2656-147-0x00000000026E0000-0x0000000002733000-memory.dmp

memory/2656-146-0x00000000026E0000-0x0000000002733000-memory.dmp

memory/2656-145-0x00000000026E0000-0x0000000002733000-memory.dmp

memory/2656-144-0x00000000026E0000-0x0000000002733000-memory.dmp

memory/2656-135-0x00000000026E0000-0x0000000002733000-memory.dmp

memory/1940-149-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1940-154-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1940-175-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1940-227-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1940-164-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1476-243-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2656-253-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1940-250-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1476-259-0x0000000000400000-0x0000000000414000-memory.dmp

memory/768-258-0x0000000000400000-0x000000000040B000-memory.dmp