modiloader | aa36d74db0680b2b064f1ac61a88fee56725687ad75dbff2f3eb6f41071f1226

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
Size

1.1MB
MD5

ec48a943a0526ab7ec566f09eac1e433
SHA1

d36fc1f7c357d216da9f08ae48ce781d527bc20e
SHA256

aa36d74db0680b2b064f1ac61a88fee56725687ad75dbff2f3eb6f41071f1226
SHA512

1bfd55d5cdf5a5c520e992c80f844108625ac88af051f031dc8edc5d0031ba5b8c5f3117c64014a5f7e2313a2481b62f8bdf6678c8193aebc4fac402c18f8bb9
SSDEEP

24576:wiKFaYjlF4aAesYeFXbjPfWP/Z3/9KeKRgD6xJP:FwJF3TsNFXbjnwJd/8

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	teamview.exe

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/memory/2876-46-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2876-65-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2548-383-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2548-557-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2548-560-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
420	flood.exe
2876	server.exe
2548	teamview.exe
1508	VFlood.exe

Loads dropped DLL 10 IoCs

pid	Process
1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
420	flood.exe
420	flood.exe
2876	server.exe
2876	server.exe
2876	server.exe
420	flood.exe
420	flood.exe
1508	VFlood.exe
1508	VFlood.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000193a5-28.dat	upx
behavioral1/memory/2876-42-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2876-41-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2876-46-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2876-65-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2548-383-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2548-557-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2548-560-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	flood.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\teamview = "C:\\Windows\\teamview.exe"	teamview.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	teamview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	teamview.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\teamview.exe	server.exe
File opened for modification	C:\Windows\teamview.exe	server.exe
File created	C:\Windows\ntdtcstp.dll	teamview.exe
File created	C:\Windows\cmsetac.dll	teamview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VFlood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teamview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000a26ad20df156b166bd89f90318787ce9f93d40d0aa1624336a09c076ae3e71e0000000000e800000000200002000000027fadf17e01385c18664f8c2637517e0da6df6ffb7072eec504a7c9cf7054965900000001531e3b6df8b4459d7dc69d321079c03bf81b85757b9ebb0811891611d88699ee324a078c2b40e2675af6dddc8fcca6385daa37636a877d40b10eb6a1ab69a0786c705a2ac13055f60da1adf3006f397683cf578768dd129c22c601dc431e9255eaada32f3b55153fe5711a838c4c61dc6d3a6e4df4bbf91d1bb5ed4a147ff4a5f4755a1de54e7c747286938a625a3b140000000aca56f6d7155c1f30535a8c4ea150908cd4d83acb308dcc4c5036100a1e808d1275710982ea1c2e69e426d48cc2829358245dfc695210645d231296d79045f2b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000e38e408d2cf5f0175d4607ea60571190963bc88fccf675bcd415f1a790bded7e000000000e80000000020000200000004aa4ff6da57052587abc36747d426be820901b67fa2a5b267800459463d2d1ea200000005d93d7c3a5fcec27c646a088061a0b263b56e3cb7bbc141ed97cd18f1e11fee3400000000ed770a0fc77a7bf4b3c2f5a448161f5b06252dd50ef134c8ee8e7a5f8106486e43894053a8c52fee4d3f1573f54e8f257bcea585b2cdc36a91a7de627879be7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FE083331-76D3-11EF-9704-E62D5E492327} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702f1fd3e00adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432945703"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: 33	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
Token: 33	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
Token: 33	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
Token: 33	420	flood.exe
Token: SeIncBasePriorityPrivilege	420	flood.exe
Token: SeDebugPrivilege	2876	server.exe
Token: SeBackupPrivilege	2732	vssvc.exe
Token: SeRestorePrivilege	2732	vssvc.exe
Token: SeAuditPrivilege	2732	vssvc.exe
Token: SeDebugPrivilege	2548	teamview.exe
Token: SeDebugPrivilege	2548	teamview.exe
Token: SeDebugPrivilege	1508	VFlood.exe
Token: SeDebugPrivilege	1760	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2556	iexplore.exe
1508	VFlood.exe
1508	VFlood.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1508	VFlood.exe
1508	VFlood.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2548	teamview.exe
2548	teamview.exe
2556	iexplore.exe
2556	iexplore.exe
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 420	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe	30
PID 1620 wrote to memory of 420	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe	30
PID 1620 wrote to memory of 420	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe	30
PID 1620 wrote to memory of 420	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe	30
PID 1620 wrote to memory of 420	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe	30
PID 1620 wrote to memory of 420	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe	30
PID 1620 wrote to memory of 420	1620	ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe	30
PID 420 wrote to memory of 2876	420	flood.exe	31
PID 420 wrote to memory of 2876	420	flood.exe	31
PID 420 wrote to memory of 2876	420	flood.exe	31
PID 420 wrote to memory of 2876	420	flood.exe	31
PID 420 wrote to memory of 2876	420	flood.exe	31
PID 420 wrote to memory of 2876	420	flood.exe	31
PID 420 wrote to memory of 2876	420	flood.exe	31
PID 2876 wrote to memory of 2548	2876	server.exe	35
PID 2876 wrote to memory of 2548	2876	server.exe	35
PID 2876 wrote to memory of 2548	2876	server.exe	35
PID 2876 wrote to memory of 2548	2876	server.exe	35
PID 2876 wrote to memory of 2548	2876	server.exe	35
PID 2876 wrote to memory of 2548	2876	server.exe	35
PID 2876 wrote to memory of 2548	2876	server.exe	35
PID 420 wrote to memory of 1508	420	flood.exe	36
PID 420 wrote to memory of 1508	420	flood.exe	36
PID 420 wrote to memory of 1508	420	flood.exe	36
PID 420 wrote to memory of 1508	420	flood.exe	36
PID 420 wrote to memory of 1508	420	flood.exe	36
PID 420 wrote to memory of 1508	420	flood.exe	36
PID 420 wrote to memory of 1508	420	flood.exe	36
PID 1508 wrote to memory of 2556	1508	VFlood.exe	37
PID 1508 wrote to memory of 2556	1508	VFlood.exe	37
PID 1508 wrote to memory of 2556	1508	VFlood.exe	37
PID 1508 wrote to memory of 2556	1508	VFlood.exe	37
PID 1508 wrote to memory of 2556	1508	VFlood.exe	37
PID 1508 wrote to memory of 2556	1508	VFlood.exe	37
PID 1508 wrote to memory of 2556	1508	VFlood.exe	37
PID 2556 wrote to memory of 1760	2556	iexplore.exe	38
PID 2556 wrote to memory of 1760	2556	iexplore.exe	38
PID 2556 wrote to memory of 1760	2556	iexplore.exe	38
PID 2556 wrote to memory of 1760	2556	iexplore.exe	38
PID 2556 wrote to memory of 1760	2556	iexplore.exe	38
PID 2556 wrote to memory of 1760	2556	iexplore.exe	38
PID 2556 wrote to memory of 1760	2556	iexplore.exe	38

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	teamview.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec48a943a0526ab7ec566f09eac1e433_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\scn tools\2012.2126.4890\2555.03.29T17.10\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\flood.exe
  "C:\Users\Admin\AppData\Local\Temp\flood.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:420
- - \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\scn tools\2012.2126.4890\2555.03.29T17.10\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\scn tools\2012.2126.4890\2555.03.29T17.10\Native\STUBEXE\8.0.1112\@WINDIR@\teamview.exe
      "C:\Windows\teamview.exe" \melt "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2548
- - \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\scn tools\2012.2126.4890\2555.03.29T17.10\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\VFlood.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VFlood.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" camfrog:im:
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7cca9acde8ad368f1d67c50e8aebd47

SHA1
9a3fbc4f93dceeb636482ec81acccefc6ba7e382

SHA256
076b972b0713a688ada8a60b1ef96ad98bb8582e9ff3b4e0e4e237cae3cd4b0f

SHA512
6d1e602c0a735ae796e66d4693a811365403690a951e808a9bc2a6e3c6eb03baa9e36e5ac17099c84c17f4c3d27d9cb9f4c0decbcfe30e70edf30063f6f68509

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3599820b0bfd25c1838388ee7236eb6

SHA1
94f14195c6457480a3a88720e2a0fae5a1c7be3d

SHA256
84249538caea8650e7cf679cdce9a353d3b7e397668d8d3626df97ccc62e315f

SHA512
79a218e95efb752cdeb6e18212f0bd6b80c01f73482a36f67d22b3a704a329ee2ca645fceb01239ee9e445c68c8fb793e357fddfade4da486f573f3e570c3400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4241ec585df508c0ecbdfd8778368d3

SHA1
9a8867e3e648ae6e6d30d5c99ab5eca4f1dd6500

SHA256
079a49103f713125b657d0b7926ea044b2f9782d281b87a29ea14af043b0db68

SHA512
22b9b1681822b3bdd66b17964a6cf20556a76724650983cd87fcdad193a0b77b54f2140917e2dd26615e517c06a1f2ce4d4136330d05a9609f7d613efbde88c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc0adc168966aabb1959af9e9f463fa6

SHA1
c9ab8db6c144f9b2626a6ba942ff81c166152aaa

SHA256
b2fe53936a946a3548d431d3fa192378c4d9df728aedcdb54e4922812f8f77bb

SHA512
343f3faee9613ccb30d226454153d7b70d2d9dc1a42d05efe62c6fbffd38b86212343968e30ee785f9ff59fd04f6a45e2289b605cad674b4db04703bd94f1bb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98c19305e1fdd5e699379a56e612f4db

SHA1
d31144f1bb51300cd012a1ad9a365fbd6df80f3d

SHA256
0de9dece2facc87e28985c19739522d4a93acda197f1dc741db1dd9f48457102

SHA512
9827baaa18259aaf8c0e4cc8ccfe5f02cd97f085f36c86ee52782962ad6bd1257483fcaa22d475020b5f25c74891d7929e909274d6558d03783563b44d8ec849

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67ba83b515a8f13593f0f5bb1455ecd1

SHA1
66c15b277b080b26a0e77b3c71e124f636a16abc

SHA256
d1196e188c2c4b4688f06166cbe90dd1678df72ed60e5db87e7a9096cd979d70

SHA512
ed17d359b1a7413d3a68381d533e7e43a53430fdd9178133cf7af6e605d8b2bd6ba15d5af9c338bbb90b7f466355f9716fd95638a23b47b2188b6e9f14c45574

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62ce839090995a4898c50d7d48bcd6b5

SHA1
90a1adf0d9dcc7937ccf77769f973122205ac9e8

SHA256
c82b150e66e380aa400c625c71d8706e0a2bb96be9221bdf90b7afe28d340a19

SHA512
74e73cb34e5dc34b23e0a3cf13a8e8f8f36af2886fdd96e79f187f5e7cb3c73d15200bd8198c3af5f3585be4f996109f51c07a34621b7477596ace342be7f431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f637c2576812ad9c6b6b8a1f05bfc0eb

SHA1
a0a60a374176c8d50fd0dca048056901ebe0ba0e

SHA256
349d17437dbbd7cd5ac437e47939d29c24c1abe37850bd74ec5cef1531386ddf

SHA512
33fb7b48a5976ea572f2561ba47853fb7e0eafdf958a4aedc7a3731da5e602869aa59bf3424a1a68ef42e93aba4d0fd482bd1cfe0a63cb608b21a4e3c6832509

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a8422909091f6952f47accbb9023a2a

SHA1
2a1474081f18dbecd13bcf76c9ce34c0be6b7d5f

SHA256
427c87c89aaf30c7cc41b7aa6eb59135b4e332c96fa0f538b312282e98ff3ea4

SHA512
f85996594fa27b252f7c19656b081ae7626d06eb507287e05439b6ad3bfa730d15cd6c97d7412ff7a16ec24e961b8a12a580650606d0379051ee479805f966c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
399b5111af467632c220350e81bbe6c9

SHA1
8fbf5f47bc75de7d18dd53d95781f4dc9e8b0520

SHA256
978d900971429c5cf9d1d4ee5bf8f5f0e6a4cef6c8fbe59c17516ad0f3eab050

SHA512
4fdf9a5cc20a662064871a8e3dccc6aa03b4fe8cf4589caf2406a2556943260b5c6b49977e37cd270066dc9b3479f0f3c11cbb6adbcc76d137402f4d040a99d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48509d9608af319ff1fd3b3c546eb4f2

SHA1
76f7d21bde49efa37ac87c5a29b3d02dd67245ea

SHA256
fa271d1672939bf5c194cb8451549dc8eb89aa36a251fa1a75ae13b74fc7bd31

SHA512
12edcb08864797358fb95f40ab80c403667eb3d887fc827fd560f4da69b2e069c657a41422a01bd3c4ae1fa0ffde8795ecd23cabe7dfd43638f4096a16c9f764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f37be6a881104f2b21154e759930c30c

SHA1
ab75e18112d181a1b2bb1e13d33946027b0b1ec6

SHA256
1f242b503d37a6f257a0c71362d9d0caaada147865f53e3635deb869eaa664d6

SHA512
538eacd9eedc05651a323cc9a60d93608e73a0f8408275e4542a3394f3fb22ee4a129e2036f4e87bab6e40d7735a25d5411a6fb57ba6455fbaf0154d0539d3e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
155571fba07b00277f46aae6639dfcb8

SHA1
46dec07a2e2a98552fd2b4e02a3f7e2c5a30b28b

SHA256
03f001105d2cfa67fb6c0940c2fc332db330dd878b6634a9b1329c95600d1bbc

SHA512
7898d904909cbd3b76ed70b050bcd89bd0e008a2a4a0b3a13c0338cbcc55a4b124c39678b7b65bc248650ca325d5d4fcfc67ddff4d5dfe1a4f835316c743a688

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6783ec6688e58c0892974f9216cc0a24

SHA1
6f48728a0c079ceace47edf5b2b71a584319cad7

SHA256
9a56e4f4cee2ac7222dfb1e0f131f6e3ce14d816f7e717f8e4f8dbbd8f2a8df2

SHA512
0e5198700353644f83406f8064be0decc788a32121174ec3e4f4d967c1b669b4b5585628a369b590093794603ca8068919910b4c64ff58f8c1928db39d909f14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfc795e6abd09fb0812c440476b8d090

SHA1
c9e2d2ffed25bcf4c01d9ee4171eecde00883feb

SHA256
a9912c97648f91c50c102f6c6e2a1fb59b7405dbf1dae0872c71e4617f745a8a

SHA512
e14ab43084f2586823089a0aaf1190119178cd93d195bc50396b647c92c8af57eaa4cdf68b3f24d99345b3ca8a94c82daeb1e588f73babad773375ce55eedbd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42a6541f977052c323bedfbdb1bfdbdc

SHA1
022468f2c8ae384dd6d1d720f755e3440d671878

SHA256
79aa74b942df1e45abf4c3cd5111fd3f17157e2252e05a2c8bf353b8a0d1f3b0

SHA512
5944c6c558850705ce8179a50612e3c31eb541a3261ceaf0f0f0ec546bd21264d25587707dc58671c340b75aa0cff92046ef86114497d3730e807ee97a875c4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
481fabd8c886cf89acfab7143bfd5750

SHA1
24bbf3676b794a45ea4fb3d53b6ca8887aff8eba

SHA256
3796ba13a5a0b539c24d81d9314c0219094a2af757091b3b65e3214720f20d9a

SHA512
8ed0375c1673f92acfe82459d6c6051bb06252889f9a0ff9d01332f2f36f2cbf2ad4ae1798c70d91ecc3ddac1c1f09887e7574745637d7316807dd7c599a79a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9052b93ba837c7ab134ca51fe60bb94

SHA1
c903064cc20215d5acc0732f970d4fcf8f78c866

SHA256
6f67c7bfb717967c93f277bbef79aec85b8a21c87290d6c7a9dc86ef99883009

SHA512
4b8d2527f69e8c327eb63c1b29869fddf7f2990fd07276927f26827d1c67d9c699e57700d8e0f74282195b7433b6144912edf3dec6546cde46496d5c34b2588a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
197398a6623ef7a6d61c55b74cff6a83

SHA1
8e8a42e65cf433e487569acf939810f1367b7679

SHA256
d01f2db81ae6b7554d1e7001b33ac86734d85d85ee2a9f703a282787b2f2dfeb

SHA512
0455391fcea953b14f3a8510917b7b1c2065cf6ef3519b0769c08f0a848257363482a99350c63e062871d628e7a73a0f3f77256f8bd22c051f26c7780a619635

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1806.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VFlood.exe

Filesize
559KB

MD5
4ba128b4cd95399e3c2cd382eb59667e

SHA1
5acfd0bc069dea6bb692bacf87ef0af0fa846246

SHA256
2159b19c8440c3a34a5bf5dd7a64694b2814007c56dc419a6645479e9d84a7be

SHA512
99bd3ac5c753e3e04ed1a148def930216cf3d9fb5c229ec5b33a8764a0838415bae1292938574e192afbf09a4fd828a5ea2f467e74cf038ca0627b994558e717

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
111KB

MD5
d43306ecfad735a5bdd97383dfb89883

SHA1
f295b132bbf10a12248f6839fc26c4a9693687cc

SHA256
6640538d559af292ab3469b1ed9b77e9d4342e8a0935da8763af2b6abcf0461a

SHA512
eb796c00bcaf3671a2105cbd66dfb02c5f0adbbbdda0c7678ad5a2ff0a80d9831ad48d3612da9303a192ccd42586bc787b72aca613975cb11faf52990e70d731

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar18D4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
951c72c63b95bae4bdf8c4374261eebf

SHA1
e709e03733fa4ff0f932094fa85951667fd0bcf1

SHA256
03b73a7ff3e74e8d02de79caf78394ff0b323ae92b3aaa8a25a27953225adb3d

SHA512
4d1c6c30045ab7133bbcab95f967834551ded752b1c0035911cd7b5053d1f3e98f0dfa445e517955d90e09962dd6b4f2954225630294fb5a567f463219769ace

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\scn tools\2012.2126.4890\2555.03.29T17.10\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\VFlood.exe

Filesize
17KB

MD5
f2f8468dfac698f84b2fb50d785915e1

SHA1
f8d1da50cb41e2dfe08691bb060b3b61d2f7f60c

SHA256
677e0330fcf133afe5a90033f0dfbc86ea64dd1b1dc4ce287b4f3e80b4bd21c3

SHA512
906509890e6d0cccd8ddda1de4948a498ba0a8e91639752876da081102fbd9bc808bb48298e24b885e44b3058a318d0294dfd4730a48334255185f0f299ab485

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\scn tools\2012.2126.4890\2555.03.29T17.10\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\server.exe

Filesize
17KB

MD5
98efeeaf12b52a759f6faa9506f432f7

SHA1
284989cad8275f43a7b43e08407f07d256a6aec1

SHA256
013cbee9cdf6e850998ba6e94eede639478633c86aec591cc5594b9eb2b578b7

SHA512
220b1fdbe77c8e9812ba3c42b31197845d4804a1866a980ba7b308e27338d1cb6ff3654b932e6584a59d6c76af2f57245bbb2f5ca64023c9042bde6b02dd0476

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\scn tools\2012.2126.4890\2555.03.29T17.10\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\flood.exe

Filesize
17KB

MD5
4bb3da509b03e1bc7bd65107674de507

SHA1
100042e2855282f0f6f7a1b84041be9ddda7ecf1

SHA256
9de1c847ee468cf7aa86247b31436c6b2e0e13201fffc137cd2851a10c85e2f4

SHA512
9e0f96f9f37f6cf966696ff84a4b188f5857e5d2814a7a75a83bd6e44fc2de85068fd9f2112ca770881c076a56977e1ef088d61ec0bc0e8f5763e0651bf58cc3

Download Submit
memory/420-13-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/420-44-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/420-45-0x00000000008A0000-0x00000000008F0000-memory.dmp

Filesize
320KB

Download
memory/420-37-0x00000000008A0000-0x00000000008F0000-memory.dmp

Filesize
320KB

Download
memory/420-122-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/420-15-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/420-17-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/420-18-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/420-19-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/420-20-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/420-16-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/1508-97-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-120-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-101-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-107-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-106-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-109-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/1508-98-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-105-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-119-0x0000000000360000-0x00000000003D2000-memory.dmp

Filesize
456KB

Download
memory/1508-121-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/1508-100-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-99-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-88-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-96-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-110-0x0000000000360000-0x00000000003D2000-memory.dmp

Filesize
456KB

Download
memory/1508-95-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-94-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-93-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-92-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-90-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-89-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1508-87-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1620-0-0x0000000000290000-0x0000000000302000-memory.dmp

Filesize
456KB

Download
memory/1620-8-0x0000000000290000-0x0000000000302000-memory.dmp

Filesize
456KB

Download
memory/1620-7-0x0000000000290000-0x0000000000302000-memory.dmp

Filesize
456KB

Download
memory/1620-11-0x0000000003440000-0x00000000034F4000-memory.dmp

Filesize
720KB

Download
memory/1620-23-0x0000000000290000-0x0000000000302000-memory.dmp

Filesize
456KB

Download
memory/1620-124-0x0000000000290000-0x0000000000302000-memory.dmp

Filesize
456KB

Download
memory/1620-10-0x0000000003440000-0x00000000034F4000-memory.dmp

Filesize
720KB

Download
memory/1620-1-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1620-2-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1620-3-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1620-4-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1620-5-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1620-6-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2548-103-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/2548-557-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2548-102-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download
memory/2548-383-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2548-385-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/2548-384-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2548-83-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download
memory/2548-560-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2548-318-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download
memory/2876-64-0x0000000002D60000-0x0000000002DB0000-memory.dmp

Filesize
320KB

Download
memory/2876-62-0x0000000000290000-0x0000000000302000-memory.dmp

Filesize
456KB

Download
memory/2876-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2876-66-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/2876-57-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/2876-46-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2876-47-0x0000000000230000-0x0000000000280000-memory.dmp

Filesize
320KB

Download
memory/2876-43-0x0000000000290000-0x0000000000302000-memory.dmp

Filesize
456KB

Download
memory/2876-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2876-42-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2876-40-0x0000000000230000-0x0000000000280000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads