modiloader | 6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a

General

Target

6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
Size

326KB
MD5

4d097d238a7302cf85ec13dc37368a94
SHA1

61a7dc09ff73dc7fabbfa16cdd7da0ab49d0c3fa
SHA256

6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a
SHA512

59ffe94d939b84aa0e25dca3ce7e29def3a95661f51ab2f06e5173a7ae18c1e6b0056095a9c8724cb68835729a592fcc1632f240b0639793f90d6a22f229122e
SSDEEP

3072:Ie2A0wxDqUpM5scww4chO+O1BmP5DG0sg3i4XZ9WvDZHwdRX/L+gP38XV:IsxD5cwohO+O1sVG0/pZ6iPC8

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1100-258-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1100-258-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

UPX dump on OEP (original entry point) 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2104-0-0x0000000000400000-0x0000000000454000-memory.dmp	UPX
behavioral1/memory/2104-78-0x0000000000400000-0x0000000000454000-memory.dmp	UPX
behavioral1/memory/2104-91-0x0000000000400000-0x0000000000454000-memory.dmp	UPX
behavioral1/memory/2104-82-0x0000000000400000-0x0000000000454000-memory.dmp	UPX
behavioral1/memory/2956-100-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2104-102-0x0000000000400000-0x0000000000454000-memory.dmp	UPX
behavioral1/memory/2956-96-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2104-81-0x0000000000400000-0x0000000000454000-memory.dmp	UPX
behavioral1/memory/2956-104-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2956-106-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2956-105-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe	UPX
behavioral1/memory/1916-151-0x0000000000400000-0x0000000000454000-memory.dmp	UPX
behavioral1/memory/1916-209-0x0000000000400000-0x0000000000454000-memory.dmp	UPX
behavioral1/memory/1916-249-0x0000000000400000-0x0000000000454000-memory.dmp	UPX
behavioral1/memory/2956-252-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1100-244-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral1/memory/1644-257-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1100-258-0x0000000000400000-0x0000000000414000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

csrsll.execsrsll.execsrsll.exe

pid process

1916 csrsll.exe
1644 csrsll.exe
1100 csrsll.exe

pid	process
1916	csrsll.exe
1644	csrsll.exe
1100	csrsll.exe

Loads dropped DLL 5 IoCs

Processes:

6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe

pid	process
2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2104-0-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2104-78-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2104-91-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2104-82-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2956-100-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2104-102-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2956-96-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2956-94-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2104-81-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2956-104-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2956-106-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2956-105-0x0000000000400000-0x000000000040B000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe	upx
behavioral1/memory/1916-151-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1916-209-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1916-249-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2956-252-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1100-244-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1644-257-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1100-258-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.execsrsll.exe

description	pid	process	target process
PID 2104 set thread context of 2956	2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
PID 1916 set thread context of 1644	1916	csrsll.exe	csrsll.exe
PID 1916 set thread context of 1100	1916	csrsll.exe	csrsll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

csrsll.exe

description	pid	process
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe
Token: SeDebugPrivilege	1644	csrsll.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.execsrsll.execsrsll.exe

pid	process
2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
1916	csrsll.exe
1644	csrsll.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.execmd.execsrsll.exe

description	pid	process	target process
PID 2104 wrote to memory of 2956	2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
PID 2104 wrote to memory of 2956	2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
PID 2104 wrote to memory of 2956	2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
PID 2104 wrote to memory of 2956	2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
PID 2104 wrote to memory of 2956	2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
PID 2104 wrote to memory of 2956	2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
PID 2104 wrote to memory of 2956	2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
PID 2104 wrote to memory of 2956	2104	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
PID 2956 wrote to memory of 1792	2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	cmd.exe
PID 2956 wrote to memory of 1792	2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	cmd.exe
PID 2956 wrote to memory of 1792	2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	cmd.exe
PID 2956 wrote to memory of 1792	2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	cmd.exe
PID 1792 wrote to memory of 1800	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 1800	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 1800	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 1800	1792	cmd.exe	reg.exe
PID 2956 wrote to memory of 1916	2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	csrsll.exe
PID 2956 wrote to memory of 1916	2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	csrsll.exe
PID 2956 wrote to memory of 1916	2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	csrsll.exe
PID 2956 wrote to memory of 1916	2956	6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe	csrsll.exe
PID 1916 wrote to memory of 1644	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1644	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1644	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1644	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1644	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1644	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1644	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1644	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1100	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1100	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1100	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1100	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1100	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1100	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1100	1916	csrsll.exe	csrsll.exe
PID 1916 wrote to memory of 1100	1916	csrsll.exe	csrsll.exe

C:\Users\Admin\AppData\Local\Temp\6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
"C:\Users\Admin\AppData\Local\Temp\6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe
"C:\Users\Admin\AppData\Local\Temp\6af93ae99cc69a9c617224c704230f42ade010e43409f8f609774528df13b95a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AONHQ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
4⤵
- Adds Run key to start application
PID:1800

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AONHQ.bat
Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
Filesize
326KB

MD5
316be31b5eae43602ae2c9e46f7d2a93

SHA1
34a7fdbd257ade581efcea009a07147827e8001f

SHA256
468411a1bb5b4ddc67c4e451e556f9311d7a852afe1a6eec71f99fe431403c82

SHA512
05cd67e1c9989ee89050ae99899c331ff8b7d102b8cf87225736dea2b214781237548353ee8b0f57aea67cdce815234933e92270332c0472e7591122a546e326

Download Submit
memory/1100-258-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1100-244-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1644-257-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1916-249-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1916-209-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1916-183-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1916-175-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1916-164-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1916-154-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1916-151-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2104-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2104-70-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2104-102-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2104-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2104-5-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2104-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2104-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2104-79-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2104-69-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/2104-27-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2104-39-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2104-59-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2104-78-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2104-101-0x0000000002600000-0x0000000002654000-memory.dmp

Filesize
336KB

Download
memory/2104-91-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2104-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2956-145-0x0000000003450000-0x00000000034A4000-memory.dmp

Filesize
336KB

Download
memory/2956-146-0x0000000003450000-0x00000000034A4000-memory.dmp

Filesize
336KB

Download
memory/2956-147-0x0000000003450000-0x00000000034A4000-memory.dmp

Filesize
336KB

Download
memory/2956-100-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2956-105-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-106-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-104-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-252-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-92-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-94-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-96-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads