modiloader | 6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4

General

Target

6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
Size

112KB
MD5

4306bcba85d7eab4fc890c91c35bd310
SHA1

7c3d7fe5bbdc9578ca244147969ad921f649fd65
SHA256

6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4
SHA512

19f3750dd9baeda2809943a3182e79a28a373ce0a27f1cd699d581185a2c534453002980742126a6842b3cd3a0ee2dfa2a68f5b1d10d4edf9c2e091a7063c86d
SSDEEP

1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Detects Windows executables referencing non-Windows User-Agents 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4024-68-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4024-67-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4024-69-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4024-75-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4024-68-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4024-67-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4024-69-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4024-75-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

UPX dump on OEP (original entry point) 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3596-10-0x0000000000400000-0x000000000040C000-memory.dmp	UPX
behavioral2/memory/2624-21-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3596-20-0x0000000000400000-0x000000000040C000-memory.dmp	UPX
behavioral2/memory/2624-18-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3596-12-0x0000000000400000-0x000000000040C000-memory.dmp	UPX
behavioral2/memory/2624-11-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3596-8-0x0000000000400000-0x000000000040C000-memory.dmp	UPX
behavioral2/memory/4188-51-0x0000000000400000-0x000000000040C000-memory.dmp	UPX
behavioral2/memory/4188-53-0x0000000000400000-0x000000000040C000-memory.dmp	UPX
behavioral2/memory/4188-61-0x0000000000400000-0x000000000040C000-memory.dmp	UPX
behavioral2/memory/4024-64-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4024-68-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4024-67-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4024-66-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4024-69-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/2624-71-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3596-73-0x0000000000400000-0x000000000040C000-memory.dmp	UPX
behavioral2/memory/4644-74-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/4024-75-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4188-86-0x0000000000400000-0x000000000040C000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe

Executes dropped EXE 3 IoCs

Processes:

WAMain.exeWAMain.exeWAMain.exe

pid process

4376 WAMain.exe
4644 WAMain.exe
4024 WAMain.exe

pid	process
4376	WAMain.exe
4644	WAMain.exe
4024	WAMain.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2624-21-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2624-18-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2624-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4024-64-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4024-68-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4024-67-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4024-66-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4024-69-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/2624-71-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4644-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4024-75-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows WA = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WAMain.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exeWAMain.exe

description	pid	process	target process
PID 3616 set thread context of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 set thread context of 2624	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
PID 4376 set thread context of 4188	4376	WAMain.exe	svchost.exe
PID 4376 set thread context of 4644	4376	WAMain.exe	WAMain.exe
PID 4376 set thread context of 4024	4376	WAMain.exe	WAMain.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe
3596	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WAMain.exe

description	pid	process
Token: SeDebugPrivilege	4644	WAMain.exe
Token: SeDebugPrivilege	4644	WAMain.exe
Token: SeDebugPrivilege	4644	WAMain.exe
Token: SeDebugPrivilege	4644	WAMain.exe
Token: SeDebugPrivilege	4644	WAMain.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exesvchost.exe6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exeWAMain.exesvchost.exeWAMain.exe

pid	process
3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
3596	svchost.exe
2624	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
4376	WAMain.exe
4188	svchost.exe
4644	WAMain.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.execmd.exeWAMain.exe

description	pid	process	target process
PID 3616 wrote to memory of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 wrote to memory of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 wrote to memory of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 wrote to memory of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 wrote to memory of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 wrote to memory of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 wrote to memory of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 wrote to memory of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 wrote to memory of 3596	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	svchost.exe
PID 3616 wrote to memory of 2624	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
PID 3616 wrote to memory of 2624	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
PID 3616 wrote to memory of 2624	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
PID 3616 wrote to memory of 2624	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
PID 3616 wrote to memory of 2624	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
PID 3616 wrote to memory of 2624	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
PID 3616 wrote to memory of 2624	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
PID 3616 wrote to memory of 2624	3616	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
PID 2624 wrote to memory of 3372	2624	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	cmd.exe
PID 2624 wrote to memory of 3372	2624	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	cmd.exe
PID 2624 wrote to memory of 3372	2624	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	cmd.exe
PID 3372 wrote to memory of 4108	3372	cmd.exe	reg.exe
PID 3372 wrote to memory of 4108	3372	cmd.exe	reg.exe
PID 3372 wrote to memory of 4108	3372	cmd.exe	reg.exe
PID 2624 wrote to memory of 4376	2624	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	WAMain.exe
PID 2624 wrote to memory of 4376	2624	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	WAMain.exe
PID 2624 wrote to memory of 4376	2624	6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe	WAMain.exe
PID 4376 wrote to memory of 4188	4376	WAMain.exe	svchost.exe
PID 4376 wrote to memory of 4188	4376	WAMain.exe	svchost.exe
PID 4376 wrote to memory of 4188	4376	WAMain.exe	svchost.exe
PID 4376 wrote to memory of 4188	4376	WAMain.exe	svchost.exe
PID 4376 wrote to memory of 4188	4376	WAMain.exe	svchost.exe
PID 4376 wrote to memory of 4188	4376	WAMain.exe	svchost.exe
PID 4376 wrote to memory of 4188	4376	WAMain.exe	svchost.exe
PID 4376 wrote to memory of 4188	4376	WAMain.exe	svchost.exe
PID 4376 wrote to memory of 4188	4376	WAMain.exe	svchost.exe
PID 4376 wrote to memory of 4644	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4644	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4644	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4644	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4644	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4644	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4644	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4644	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4024	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4024	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4024	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4024	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4024	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4024	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4024	4376	WAMain.exe	WAMain.exe
PID 4376 wrote to memory of 4024	4376	WAMain.exe	WAMain.exe

C:\Users\Admin\AppData\Local\Temp\6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
"C:\Users\Admin\AppData\Local\Temp\6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3596
- C:\Users\Admin\AppData\Local\Temp\6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe
  "C:\Users\Admin\AppData\Local\Temp\6140cbc7a6112ce11ae6a95c7a13b85d91ef942a087eca635c196c9d4b5587d4.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAXFT.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f
      4⤵
      Adds Run key to start application
      PID:4108
- - C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4188
  - - C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4644
  - - C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
      4⤵
      Executes dropped EXE
      PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XAXFT.txt

Filesize
148B

MD5
3a4614705555abb049c3298e61170b7f

SHA1
c8686410756f346d9551256a5b878b04770950ba

SHA256
cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b

SHA512
65ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe

Filesize
112KB

MD5
ae32f13469ae17c38bf09ae444934b5e

SHA1
11636b2ebff175a561f0e81c40472372de7f0d7f

SHA256
2d04254d25d6828950bf9d9972d91f0d4df5b0d77d9b9de293d68b1b9e91f992

SHA512
49bd4b8a5555e843ae2f51b3ddef760757ce53f32afa4877aec24625b0265e00a0a68694c0bc6bffc7869f4f03d81e9640834503a2865142915a1b3740dba30d

Download Submit
memory/2624-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2624-71-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2624-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2624-18-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3596-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3596-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3596-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3596-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3596-73-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3616-3-0x00000000029E0000-0x00000000029E2000-memory.dmp

Filesize
8KB

Download
memory/3616-17-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

Filesize
8KB

Download
memory/3616-6-0x0000000002A30000-0x0000000002A32000-memory.dmp

Filesize
8KB

Download
memory/3616-7-0x0000000002A70000-0x0000000002A72000-memory.dmp

Filesize
8KB

Download
memory/3616-5-0x0000000002A20000-0x0000000002A22000-memory.dmp

Filesize
8KB

Download
memory/3616-4-0x0000000002A00000-0x0000000002A02000-memory.dmp

Filesize
8KB

Download
memory/3616-2-0x0000000002180000-0x0000000002182000-memory.dmp

Filesize
8KB

Download
memory/4024-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4024-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4024-75-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4024-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4024-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4024-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4188-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4188-53-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4188-51-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4188-86-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4376-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4376-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4376-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4376-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4376-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4644-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads