modiloader | a956e20ef94ecc4c2601ce9d8c73b62c96b9ae6edfd346e1ef650fb137c2a442

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9847027535ce378b7e8de6ba2984ddd5.exe
Size

130KB
MD5

9847027535ce378b7e8de6ba2984ddd5
SHA1

ed0ca78c9dca7c0b5639921c18ecc6b640729130
SHA256

a956e20ef94ecc4c2601ce9d8c73b62c96b9ae6edfd346e1ef650fb137c2a442
SHA512

fdee408452ddd2ad821410061de13cc5d0398ed41d091b955420ea6d62784f2d64ae04e4704f7e8f5141db110e64ac1015393698f2144e09fb3c7e546e81ed49
SSDEEP

3072:dzpZK13RhO2/rU5R1MeOTIPQecILdmKEB54dd4xB+l:dzpZK1BAir8nkUQQLdJOjr+l

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 24 IoCs

resource	yara_rule
behavioral2/memory/1684-23-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/2188-39-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-40-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-41-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-45-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5684-48-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-49-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-53-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/4684-57-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-58-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-62-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1020-66-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-67-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-71-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1280-74-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-75-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-79-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5512-83-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-84-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-88-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/2428-92-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-93-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/3400-97-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/916-101-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9847027535ce378b7e8de6ba2984ddd5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	MSN.exe

Executes dropped EXE 10 IoCs

pid	Process
1684	MSN.exe
3400	mstwain32.exe
2188	mstwain32.exe
5684	mstwain32.exe
4684	mstwain32.exe
1020	mstwain32.exe
1280	mstwain32.exe
5512	mstwain32.exe
2428	mstwain32.exe
916	mstwain32.exe

Loads dropped DLL 4 IoCs

pid	Process
3400	mstwain32.exe
3400	mstwain32.exe
3400	mstwain32.exe
3400	mstwain32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022795-6.dat	upx
behavioral2/memory/1684-9-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1684-23-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/2188-39-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-40-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-41-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-45-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5684-48-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-49-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-53-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4684-57-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-58-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-62-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1020-66-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-67-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-71-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1280-74-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-75-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-79-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5512-83-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-84-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-88-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/2428-92-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-93-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3400-97-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/916-101-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	MSN.exe
File opened for modification	C:\Windows\mstwain32.exe	MSN.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1060	4168	WerFault.exe	85
4608	4168	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9847027535ce378b7e8de6ba2984ddd5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	MSN.exe
Token: SeBackupPrivilege	3600	vssvc.exe
Token: SeRestorePrivilege	3600	vssvc.exe
Token: SeAuditPrivilege	3600	vssvc.exe
Token: SeDebugPrivilege	3400	mstwain32.exe
Token: SeDebugPrivilege	3400	mstwain32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4168	JaffaCakes118_9847027535ce378b7e8de6ba2984ddd5.exe
3400	mstwain32.exe
3400	mstwain32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 1684	4168	JaffaCakes118_9847027535ce378b7e8de6ba2984ddd5.exe	86
PID 4168 wrote to memory of 1684	4168	JaffaCakes118_9847027535ce378b7e8de6ba2984ddd5.exe	86
PID 4168 wrote to memory of 1684	4168	JaffaCakes118_9847027535ce378b7e8de6ba2984ddd5.exe	86
PID 1684 wrote to memory of 3400	1684	MSN.exe	98
PID 1684 wrote to memory of 3400	1684	MSN.exe	98
PID 1684 wrote to memory of 3400	1684	MSN.exe	98
PID 2360 wrote to memory of 2188	2360	cmd.exe	101
PID 2360 wrote to memory of 2188	2360	cmd.exe	101
PID 2360 wrote to memory of 2188	2360	cmd.exe	101
PID 3148 wrote to memory of 5684	3148	cmd.exe	111
PID 3148 wrote to memory of 5684	3148	cmd.exe	111
PID 3148 wrote to memory of 5684	3148	cmd.exe	111
PID 292 wrote to memory of 4684	292	cmd.exe	122
PID 292 wrote to memory of 4684	292	cmd.exe	122
PID 292 wrote to memory of 4684	292	cmd.exe	122
PID 4944 wrote to memory of 1020	4944	cmd.exe	125
PID 4944 wrote to memory of 1020	4944	cmd.exe	125
PID 4944 wrote to memory of 1020	4944	cmd.exe	125
PID 2332 wrote to memory of 1280	2332	cmd.exe	129
PID 2332 wrote to memory of 1280	2332	cmd.exe	129
PID 2332 wrote to memory of 1280	2332	cmd.exe	129
PID 800 wrote to memory of 5512	800	cmd.exe	132
PID 800 wrote to memory of 5512	800	cmd.exe	132
PID 800 wrote to memory of 5512	800	cmd.exe	132
PID 1964 wrote to memory of 2428	1964	cmd.exe	135
PID 1964 wrote to memory of 2428	1964	cmd.exe	135
PID 1964 wrote to memory of 2428	1964	cmd.exe	135
PID 5876 wrote to memory of 916	5876	cmd.exe	138
PID 5876 wrote to memory of 916	5876	cmd.exe	138
PID 5876 wrote to memory of 916	5876	cmd.exe	138

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9847027535ce378b7e8de6ba2984ddd5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9847027535ce378b7e8de6ba2984ddd5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Users\Admin\AppData\Local\Temp\MSN.exe
  "C:\Users\Admin\AppData\Local\Temp\MSN.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 848
  2⤵
  - Program crash
  PID:1060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 848
  2⤵
  - Program crash
  PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4168 -ip 4168
1⤵
PID:2692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4168 -ip 4168
1⤵
PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\mstwain32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\mstwain32.exe
  C:\Windows\mstwain32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\mstwain32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\mstwain32.exe
  C:\Windows\mstwain32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\mstwain32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\mstwain32.exe
  C:\Windows\mstwain32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\mstwain32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\mstwain32.exe
  C:\Windows\mstwain32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\mstwain32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\mstwain32.exe
  C:\Windows\mstwain32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\mstwain32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\mstwain32.exe
  C:\Windows\mstwain32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\mstwain32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\mstwain32.exe
  C:\Windows\mstwain32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\mstwain32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5876
- C:\Windows\mstwain32.exe
  C:\Windows\mstwain32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSN.exe

Filesize
110KB

MD5
97c8b11905ea7360e98effa46e51698a

SHA1
c785055bea544e5509e3aae54802ab9f12e8174c

SHA256
7dc963471010693d8bd5d1d594e002f3976cb5787376ab8c5a2a66f0fb9501d3

SHA512
10fd0f3d15763c5257f4810fe485bcff10e39d7c50985fc22a8351e30e1c9061e48589650764da7289a6957f1f797e1f4fa2b6bda3576c99e807860fe9222ead

Download Submit
C:\Windows\cmsetac.dll

Filesize
32KB

MD5
41cee9983a20d779d877b3424fbe3cf3

SHA1
54edd919f8600dd57e3dfb4e86e69d49d02cb9db

SHA256
71133f87b00111efd26c431409d4e956d20d208f9885a6a9d0b96cf9c80ba9ce

SHA512
19a7a99e217350180fb4777134a6a058040bf9b716e7b4e1d9f32bed1179452295126b4c5ec9536bd4abc171b866d414dd93e34d6f3d21a1f369638c6add06e2

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/916-101-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1020-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1280-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1684-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1684-11-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1684-23-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2188-39-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2428-92-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-42-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/3400-34-0x00000000028D0000-0x00000000028DE000-memory.dmp

Filesize
56KB

Download
memory/3400-49-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-53-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-97-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-58-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-43-0x00000000028D0000-0x00000000028DE000-memory.dmp

Filesize
56KB

Download
memory/3400-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-45-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-41-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-93-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-84-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-88-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3400-40-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4684-57-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5512-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5684-48-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads