Malware Analysis Report

2025-05-28 21:06

Sample ID 241109-q4n9asyken
Target 7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N
SHA256 7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41
Tags
upx modiloader discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41

Threat Level: Known bad

The file 7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N was found to be: Known bad.

Malicious Activity Summary

upx modiloader discovery persistence trojan

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 13:49

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 13:49

Reported

2024-11-09 13:51

Platform

win7-20241010-en

Max time kernel

120s

Max time network

27s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 2904 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 2904 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 2904 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 2904 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 2904 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 2904 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 2904 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 568 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe

"C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe"

C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe

"C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CSKIT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 billabong4102.no-ip.biz udp

Files

memory/2904-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-15-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2904-3-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2904-5-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2904-27-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-38-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-30-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2904-25-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-84-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2904-94-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-112-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-110-0x0000000000404000-0x0000000000405000-memory.dmp

memory/568-109-0x0000000000400000-0x000000000040B000-memory.dmp

memory/568-107-0x0000000000400000-0x000000000040B000-memory.dmp

memory/568-106-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2904-76-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2904-73-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-65-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2904-62-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-51-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-43-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/568-104-0x0000000000400000-0x000000000040B000-memory.dmp

memory/568-102-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/568-100-0x0000000000400000-0x000000000040B000-memory.dmp

memory/568-98-0x0000000000400000-0x000000000040B000-memory.dmp

memory/568-96-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2904-95-0x0000000002490000-0x00000000024E3000-memory.dmp

memory/2904-26-0x0000000000404000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CSKIT.bat

MD5 4eb61ec7816c34ec8c125acadc57ec1b
SHA1 b0015cc865c0bb1a027be663027d3829401a31cc
SHA256 08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512 f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

MD5 a742bd25e451908a3eb4a0f1eb39398e
SHA1 e0032b8a4d350f06c6393329d704397e5ec81abb
SHA256 84fc7798c0e0345d071bd2f2f7c6de072756ba8c432d6a654ab56680472fccdb
SHA512 1f466bbb251432242ede02ef72415a61b649e1c6c77b3e68388c1727efddcd56ff5caa1f7f2fa21180daeb4fe0a7c3277dae444241889d638f7865d54021a726

memory/568-139-0x0000000002C20000-0x0000000002C73000-memory.dmp

memory/568-152-0x0000000002C20000-0x0000000002C73000-memory.dmp

memory/568-154-0x0000000002C20000-0x0000000002C73000-memory.dmp

memory/568-153-0x0000000002C20000-0x0000000002C73000-memory.dmp

memory/972-156-0x0000000000400000-0x0000000000453000-memory.dmp

memory/568-159-0x0000000000400000-0x000000000040B000-memory.dmp

memory/568-164-0x0000000002C20000-0x0000000002C73000-memory.dmp

memory/568-163-0x0000000002C20000-0x0000000002C73000-memory.dmp

memory/568-162-0x0000000002C20000-0x0000000002C73000-memory.dmp

memory/568-161-0x0000000002C20000-0x0000000002C73000-memory.dmp

memory/972-167-0x0000000000230000-0x0000000000231000-memory.dmp

memory/972-185-0x0000000000400000-0x0000000000453000-memory.dmp

memory/972-231-0x0000000000400000-0x0000000000453000-memory.dmp

memory/972-225-0x0000000000400000-0x0000000000453000-memory.dmp

memory/972-189-0x0000000000270000-0x0000000000271000-memory.dmp

memory/972-177-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1332-256-0x0000000000400000-0x0000000000414000-memory.dmp

memory/568-261-0x0000000000400000-0x000000000040B000-memory.dmp

memory/972-258-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2404-269-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1332-270-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 13:49

Reported

2024-11-09 13:51

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 4180 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 4180 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 4180 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 4180 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 4180 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 4180 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 4180 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe
PID 1132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2124 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2124 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1132 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1132 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1132 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 740 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe

"C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe"

C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe

"C:\Users\Admin\AppData\Local\Temp\7408f54bd8b4bb9fd17b2be5c9437cec96f16d91d4253973b97e8d13bcef2a41N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COWNB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 udp

Files

memory/4180-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4180-3-0x0000000002300000-0x0000000002302000-memory.dmp

memory/4180-4-0x0000000002310000-0x0000000002312000-memory.dmp

memory/4180-5-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4180-6-0x0000000002330000-0x0000000002332000-memory.dmp

memory/1132-7-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1132-9-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1132-13-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4180-12-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\COWNB.txt

MD5 4eb61ec7816c34ec8c125acadc57ec1b
SHA1 b0015cc865c0bb1a027be663027d3829401a31cc
SHA256 08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512 f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

MD5 96997895df178a823f63c071552ed6e5
SHA1 40b19ca34ed3e8b8cbcb3b7c69593901c65dba0a
SHA256 4649408b1a586dec590f4bd8c1aa059f53c4e53d4ffd085d5fa734dc36fa9eb6
SHA512 6c9e1c74295b0a43fbdf688570a38ee9081bed23b691705c3c8843ff410dc7f739e98619c9fce79a174d53b8811087c4eead949806bc26da892967056bafa355

memory/740-36-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1132-40-0x0000000000400000-0x000000000040B000-memory.dmp

memory/740-41-0x0000000000400000-0x0000000000453000-memory.dmp

memory/740-42-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1512-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1512-52-0x0000000000400000-0x0000000000414000-memory.dmp

memory/740-56-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1512-58-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1512-57-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1512-54-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1132-59-0x0000000000410000-0x00000000004D9000-memory.dmp

memory/1132-61-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4576-62-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1512-63-0x0000000000400000-0x0000000000414000-memory.dmp