modiloader | 28a1e5b98c9b890026a9712ceabf90bc227750f5616d9d4b19f5c404d864db1f

General

Target

TheWarz-Crack.exe
Size

1.2MB
MD5

6b035800be70ccbedd9154a9ae57d03b
SHA1

c7de2eba384c891723b4a17753ee00129f5fe973
SHA256

e621a036413f70d0a00dbe48de5773dceea1429dc1864aebe90cb277583690de
SHA512

1b41dc9bf8c040ca33d26da8986f346ff6be02bf2197b78c96b2c6dbb45ba19bf4b31d8eeb4e715c78507b78ea6d2b05d039fb28e11ec8750fc5080a42c318d7
SSDEEP

24576:yzjh/FIFRPOUS01XpN4wEpv7I+CqSfhvuwGHEqPb2LxBxf3y:CKFNSEpN4NpvcAyBudHTCFq

Score

10^/10

modiloader njrat thewarz-crack-1 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

TheWarz-Crack-1

C2

103.22.181.199:1177

Mutex

4ff3a911dbfff7e34d508efdb7eca614

Attributes

reg_key
4ff3a911dbfff7e34d508efdb7eca614
splitter
|'|'|

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader Second Stage 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2528-40-0x0000000000400000-0x00000000052E8000-memory.dmp	modiloader_stage2
behavioral1/memory/2528-36-0x0000000000400000-0x00000000052E8000-memory.dmp	modiloader_stage2
behavioral1/memory/2528-38-0x0000000000400000-0x00000000052E8000-memory.dmp	modiloader_stage2
behavioral1/memory/2528-42-0x0000000000400000-0x00000000052E8000-memory.dmp	modiloader_stage2
\Users\Admin\AppData\Local\Temp\FB_AC57.tmp.exe	modiloader_stage2
behavioral1/memory/2528-82-0x0000000000400000-0x00000000004CA000-memory.dmp	modiloader_stage2
behavioral1/memory/2528-75-0x0000000000400000-0x00000000052E8000-memory.dmp	modiloader_stage2
behavioral1/memory/2012-90-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1012-145-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2828 netsh.exe
Executes dropped EXE 7 IoCs

Processes:

M.exeM.exeFB_9905.tmp.exeFB_AC57.tmp.exeFB_ACE4.tmp.exeWrnia.exeTheWarz-Crack-1.exe

pid process

2872 M.exe
2528 M.exe
2664 FB_9905.tmp.exe
2012 FB_AC57.tmp.exe
2384 FB_ACE4.tmp.exe
1012 Wrnia.exe
636 TheWarz-Crack-1.exe

pid	process
2828	netsh.exe

Loads dropped DLL 17 IoCs

Processes:

TheWarz-Crack.exeM.exeM.exeFB_9905.tmp.exeFB_AC57.tmp.exeFB_ACE4.tmp.exeWrnia.exeTheWarz-Crack-1.exe

pid	process
2300	TheWarz-Crack.exe
2300	TheWarz-Crack.exe
2872	M.exe
2872	M.exe
2528	M.exe
2528	M.exe
2528	M.exe
2528	M.exe
2664	FB_9905.tmp.exe
2528	M.exe
2012	FB_AC57.tmp.exe
2384	FB_ACE4.tmp.exe
2012	FB_AC57.tmp.exe
2012	FB_AC57.tmp.exe
1012	Wrnia.exe
2664	FB_9905.tmp.exe
636	TheWarz-Crack-1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TheWarz-Crack.exeWrnia.exeTheWarz-Crack-1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	TheWarz-Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wrnia = "C:\\Users\\Admin\\AppData\\Roaming\\Wrnia.exe"	Wrnia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4ff3a911dbfff7e34d508efdb7eca614 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWarz-Crack-1.exe\" .."	TheWarz-Crack-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4ff3a911dbfff7e34d508efdb7eca614 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWarz-Crack-1.exe\" .."	TheWarz-Crack-1.exe

Drops file in System32 directory 2 IoCs

Processes:

FB_ACE4.tmp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\accessibilitycpI.dll	FB_ACE4.tmp.exe
File opened for modification	C:\Windows\SysWOW64\accessibilitycpI.dll	FB_ACE4.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

M.exe

description pid process target process

PID 2872 set thread context of 2528 2872 M.exe M.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2872 set thread context of 2528	2872	M.exe	M.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

M.exeFB_ACE4.tmp.exeTheWarz-Crack-1.exe

pid	process
2872	M.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
2384	FB_ACE4.tmp.exe
636	TheWarz-Crack-1.exe
636	TheWarz-Crack-1.exe
2384	FB_ACE4.tmp.exe
636	TheWarz-Crack-1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

FB_ACE4.tmp.exeTheWarz-Crack-1.exe

description pid process

Token: SeDebugPrivilege 2384 FB_ACE4.tmp.exe
Token: SeDebugPrivilege 636 TheWarz-Crack-1.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

M.exe

pid process

2872 M.exe
2872 M.exe

description	pid	process
Token: SeDebugPrivilege	2384	FB_ACE4.tmp.exe
Token: SeDebugPrivilege	636	TheWarz-Crack-1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TheWarz-Crack.exeM.exeM.exeFB_AC57.tmp.exeFB_9905.tmp.exeTheWarz-Crack-1.exe

description	pid	process	target process
PID 2300 wrote to memory of 2872	2300	TheWarz-Crack.exe	M.exe
PID 2300 wrote to memory of 2872	2300	TheWarz-Crack.exe	M.exe
PID 2300 wrote to memory of 2872	2300	TheWarz-Crack.exe	M.exe
PID 2300 wrote to memory of 2872	2300	TheWarz-Crack.exe	M.exe
PID 2300 wrote to memory of 2872	2300	TheWarz-Crack.exe	M.exe
PID 2300 wrote to memory of 2872	2300	TheWarz-Crack.exe	M.exe
PID 2300 wrote to memory of 2872	2300	TheWarz-Crack.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2872 wrote to memory of 2528	2872	M.exe	M.exe
PID 2528 wrote to memory of 2664	2528	M.exe	FB_9905.tmp.exe
PID 2528 wrote to memory of 2664	2528	M.exe	FB_9905.tmp.exe
PID 2528 wrote to memory of 2664	2528	M.exe	FB_9905.tmp.exe
PID 2528 wrote to memory of 2664	2528	M.exe	FB_9905.tmp.exe
PID 2528 wrote to memory of 2664	2528	M.exe	FB_9905.tmp.exe
PID 2528 wrote to memory of 2664	2528	M.exe	FB_9905.tmp.exe
PID 2528 wrote to memory of 2664	2528	M.exe	FB_9905.tmp.exe
PID 2528 wrote to memory of 2012	2528	M.exe	FB_AC57.tmp.exe
PID 2528 wrote to memory of 2012	2528	M.exe	FB_AC57.tmp.exe
PID 2528 wrote to memory of 2012	2528	M.exe	FB_AC57.tmp.exe
PID 2528 wrote to memory of 2012	2528	M.exe	FB_AC57.tmp.exe
PID 2528 wrote to memory of 2012	2528	M.exe	FB_AC57.tmp.exe
PID 2528 wrote to memory of 2012	2528	M.exe	FB_AC57.tmp.exe
PID 2528 wrote to memory of 2012	2528	M.exe	FB_AC57.tmp.exe
PID 2528 wrote to memory of 2384	2528	M.exe	FB_ACE4.tmp.exe
PID 2528 wrote to memory of 2384	2528	M.exe	FB_ACE4.tmp.exe
PID 2528 wrote to memory of 2384	2528	M.exe	FB_ACE4.tmp.exe
PID 2528 wrote to memory of 2384	2528	M.exe	FB_ACE4.tmp.exe
PID 2528 wrote to memory of 2384	2528	M.exe	FB_ACE4.tmp.exe
PID 2528 wrote to memory of 2384	2528	M.exe	FB_ACE4.tmp.exe
PID 2528 wrote to memory of 2384	2528	M.exe	FB_ACE4.tmp.exe
PID 2012 wrote to memory of 1012	2012	FB_AC57.tmp.exe	Wrnia.exe
PID 2012 wrote to memory of 1012	2012	FB_AC57.tmp.exe	Wrnia.exe
PID 2012 wrote to memory of 1012	2012	FB_AC57.tmp.exe	Wrnia.exe
PID 2012 wrote to memory of 1012	2012	FB_AC57.tmp.exe	Wrnia.exe
PID 2012 wrote to memory of 1012	2012	FB_AC57.tmp.exe	Wrnia.exe
PID 2012 wrote to memory of 1012	2012	FB_AC57.tmp.exe	Wrnia.exe
PID 2012 wrote to memory of 1012	2012	FB_AC57.tmp.exe	Wrnia.exe
PID 2664 wrote to memory of 636	2664	FB_9905.tmp.exe	TheWarz-Crack-1.exe
PID 2664 wrote to memory of 636	2664	FB_9905.tmp.exe	TheWarz-Crack-1.exe
PID 2664 wrote to memory of 636	2664	FB_9905.tmp.exe	TheWarz-Crack-1.exe
PID 2664 wrote to memory of 636	2664	FB_9905.tmp.exe	TheWarz-Crack-1.exe
PID 2664 wrote to memory of 636	2664	FB_9905.tmp.exe	TheWarz-Crack-1.exe
PID 2664 wrote to memory of 636	2664	FB_9905.tmp.exe	TheWarz-Crack-1.exe
PID 2664 wrote to memory of 636	2664	FB_9905.tmp.exe	TheWarz-Crack-1.exe
PID 636 wrote to memory of 2828	636	TheWarz-Crack-1.exe	netsh.exe
PID 636 wrote to memory of 2828	636	TheWarz-Crack-1.exe	netsh.exe
PID 636 wrote to memory of 2828	636	TheWarz-Crack-1.exe	netsh.exe
PID 636 wrote to memory of 2828	636	TheWarz-Crack-1.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe
"C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Local\Temp\FB_9905.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_9905.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe
"C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe" "TheWarz-Crack-1.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:2828

C:\Users\Admin\AppData\Local\Temp\FB_AC57.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_AC57.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Roaming\Wrnia.exe
"C:\Users\Admin\AppData\Roaming\Wrnia.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1012

C:\Users\Admin\AppData\Local\Temp\FB_ACE4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_ACE4.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_
Filesize
851KB

MD5
4c687cafefcab325c62847a3910c71a9

SHA1
882409e2d437758967ffbe8d9740dd35a86e95c6

SHA256
fb635a07236ad5395238b0e18ba87f60264d93bc8a2e13805b661f528a185793

SHA512
97b730f00751df1a41670b079c1f784709f8ce79b3eaece05be0007ddb8f8566876a93b21be459dbb9f91e265b45c88565dda3a1e7501a4f63b2b7255a9cd5de

Download Submit
C:\Windows\SysWOW64\accessibilitycpI.dll
Filesize
302KB

MD5
0d313a81c8b3b25e58ea49359242bea4

SHA1
7d9e242e418a982f248f9981b10b64830d67d802

SHA256
3000f91791e0b3331ccc130d0bc5d94b2ae5fc529b3924a2e97002e3251d926b

SHA512
63f9bef6ad11372b241b5e679c63c2164e21073f8a99b7442d89e301b017e5e2f0c344ef3df0227506837816c86e7539899a9c1499cefa0b18c257f8f87837a7

Download Submit
\Users\Admin\AppData\Local\Temp\FB_9905.tmp.exe
Filesize
29KB

MD5
614ee07b628e4994d4d7f1b9beda6ece

SHA1
0171581e8d76d2d922027f4f072cff8215c55abb

SHA256
b4458b76c0ade6678ac78a74dfa38dff4125d39210717b2c2bdd271bdd733cef

SHA512
c279ff78b25f40bde2f64ab33ba5a2b9b4046e68a4e2089121118173930eaab813f48e8a30f569b25a316c79cc4e42df18df8c219a258096d5ce9359f007e001

Download Submit
\Users\Admin\AppData\Local\Temp\FB_AC57.tmp.exe
Filesize
36KB

MD5
bc31fb751e47491430d909c72c5529c9

SHA1
c1a5925786cf7729d04f765cd1cd47fab5ddcf95

SHA256
aecbf1535c7be968369ce966f8478cc55dd311f122565f5ee7d627cd302f4921

SHA512
03af1955cd15bf239a1e3ec768f66320b17a84e06d977fa3aa1aa1e1b7c03db78e10a6e8d94ffa504b56fc649722a3fd6dcbec95335d888d20c2ade989a8355d

Download Submit
\Users\Admin\AppData\Local\Temp\FB_ACE4.tmp.exe
Filesize
723KB

MD5
ca554c5962d17073e7ce0e65e505158c

SHA1
5d09fe7bac713a0e03b3b1322019f86dd10a2c9e

SHA256
448565c452f2c88c73061548aa46c1dbdc281567dffc2abec39e7eb177f230cb

SHA512
969408b0975c6e0288b3bd5e5521fa092712d8cc9fe23f9166751d0f1e2f5c570712bc91c8602c0474dd0c6a2ef52975b06736295dca7f9d9fbb7a8da2fc8b27

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
Filesize
716KB

MD5
aa8a27f555ba52a3057d1ebd59e51193

SHA1
fbc1b0916e428969d2e7e11f2a0c5bd6449ad05f

SHA256
09cd260d8a7a59b6e123b59d1d7ccdb289d56ccf7be4952451768bbafee305d2

SHA512
04bbf4d273bebd851725b5b4cae007413983cdb7efef56f8d88995493f5c8d0afa29accd7d8135ac686acbde8c8f7507c23969b4f5315409dedc2e4d34fdcfb3

Download Submit
memory/1012-145-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2012-90-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2384-94-0x0000000000E30000-0x0000000000EEA000-memory.dmp

Filesize
744KB

Download
memory/2528-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2528-36-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-28-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-31-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-26-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-34-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-42-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-38-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-40-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-52-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2528-82-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2528-75-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-33-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/2528-24-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2872-20-0x00000000001F0000-0x00000000001F5000-memory.dmp

Filesize
20KB

Download
memory/2872-15-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads