modiloader | e973c49e3f5647060a56041e0a9f7378063a02e3c8728d1d102461278a98c00f

Analysis

max time kernel
62s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 13:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

BYPASSFIVEM.exe
Size

10.1MB
MD5

00f035f6802cc6f8585bd8df90f21ee7
SHA1

00d12acd567db0dc9d17828a2033addd2ec66b35
SHA256

e973c49e3f5647060a56041e0a9f7378063a02e3c8728d1d102461278a98c00f
SHA512

dc1f98a2553423739f2e272df80383c973fc902dabaa6f423b5bfd4453dd1c1c9b3333392092941ace78cc09a67f8adf165c8ada1809e331f514aaf5c0fcd085
SSDEEP

196608:AqwLHNz/d34jLu1HTOnfOCgPtUCGQ8hfNC1GA+MHJx2QfxfLyflipARuHCQ:K1/1hJ/CgPaxQ8hfg1B+W9fLyOBiQ

Score

10^/10

modiloader njrat ducservice persistence trojan upx vmprotect

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ducservice

hakim32.ddns.net:2000

45.141.26.194:1337

Mutex

3f7251b9b8c5afa092adc8657b97c1c2

Attributes

reg_key
3f7251b9b8c5afa092adc8657b97c1c2
splitter
|'|'|

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/868-90-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2120-93-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BYPASSFIVEM.exeNewX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	BYPASSFIVEM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NewX.exe

Executes dropped EXE 4 IoCs

Processes:

NewX.vmp.exeNewX.exeducservice.exeServer.exe

pid process

4984 NewX.vmp.exe
868 NewX.exe
2120 ducservice.exe
3344 Server.exe
Loads dropped DLL 1 IoCs

Processes:

NewX.vmp.exe

pid process

4984 NewX.vmp.exe

pid	process
4984	NewX.vmp.exe
868	NewX.exe
2120	ducservice.exe
3344	Server.exe

pid	process
4984	NewX.vmp.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.exe	upx
behavioral1/memory/868-81-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/868-90-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2120-93-0x0000000000400000-0x0000000000414000-memory.dmp	upx

VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.vmp.exe vmprotect
behavioral1/memory/4984-28-0x0000000000400000-0x00000000020DA000-memory.dmp vmprotect
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

ducservice.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ducservice = "C:\\Users\\Admin\\AppData\\Roaming\\ducservice.exe" ducservice.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.vmp.exe	vmprotect
behavioral1/memory/4984-28-0x0000000000400000-0x00000000020DA000-memory.dmp	vmprotect

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ducservice = "C:\\Users\\Admin\\AppData\\Roaming\\ducservice.exe"	ducservice.exe

Drops file in System32 directory 64 IoCs

Processes:

NewX.vmp.exe

description	ioc	process
File opened for modification	C:\Windows\System32\psapi.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\system32\rsaenh.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\Windows.StateRepositoryPS.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\shcore.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\shlwapi.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\appresolver.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	NewX.vmp.exe
File opened for modification	C:\Windows\system32\riched20.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\ADVAPI32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\msls31.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\Bcp47Langs.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\system32\shfolder.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\SLC.dll	NewX.vmp.exe
File opened for modification	C:\Windows\system32\version.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\CoreMessaging.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\edputil.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\imm32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\OLEAUT32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\WindowsCodecs.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\WS2_32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\SETUPAPI.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	NewX.vmp.exe
File opened for modification	C:\Windows\System32\advapi32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\ole32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\ntmarta.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\OneCoreUAPCommonProxyStub.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\user32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\system32\UXTheme.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\USP10.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\imagehlp.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\IMM32.DLL	NewX.vmp.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\USERENV.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\CoreUIComponents.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\srvcli.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\sppc.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\WTSAPI32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\system32\dwmapi.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\textinputframework.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\pcacli.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\MPR.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\system32\sfc_os.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\bcrypt.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\SHLWAPI.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\netutils.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	NewX.vmp.exe
File opened for modification	C:\Windows\SYSTEM32\apphelp.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	NewX.vmp.exe
File opened for modification	C:\Windows\System32\USER32.dll	NewX.vmp.exe

Drops file in Program Files directory 1 IoCs

Processes:

NewX.vmp.exe

description ioc process

File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll NewX.vmp.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll	NewX.vmp.exe

Drops file in Windows directory 3 IoCs

Processes:

NewX.vmp.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	NewX.vmp.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1288_none_91a663c8cc864906\gdiplus.dll	NewX.vmp.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\COMCTL32.dll	NewX.vmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

NewX.vmp.exe

pid process

4984 NewX.vmp.exe
4984 NewX.vmp.exe
4984 NewX.vmp.exe
4984 NewX.vmp.exe
4984 NewX.vmp.exe
4984 NewX.vmp.exe
4984 NewX.vmp.exe
4984 NewX.vmp.exe
4984 NewX.vmp.exe
4984 NewX.vmp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NewX.vmp.exe

pid process

4984 NewX.vmp.exe

pid	process
4984	NewX.vmp.exe
4984	NewX.vmp.exe
4984	NewX.vmp.exe
4984	NewX.vmp.exe
4984	NewX.vmp.exe
4984	NewX.vmp.exe
4984	NewX.vmp.exe
4984	NewX.vmp.exe
4984	NewX.vmp.exe
4984	NewX.vmp.exe

pid	process
4984	NewX.vmp.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

NewX.vmp.exe

description	pid	process
Token: SeDebugPrivilege	4984	NewX.vmp.exe
Token: SeTcbPrivilege	4984	NewX.vmp.exe
Token: SeTcbPrivilege	4984	NewX.vmp.exe
Token: SeLoadDriverPrivilege	4984	NewX.vmp.exe
Token: SeCreateGlobalPrivilege	4984	NewX.vmp.exe
Token: SeLockMemoryPrivilege	4984	NewX.vmp.exe
Token: 33	4984	NewX.vmp.exe
Token: SeSecurityPrivilege	4984	NewX.vmp.exe
Token: SeTakeOwnershipPrivilege	4984	NewX.vmp.exe
Token: SeManageVolumePrivilege	4984	NewX.vmp.exe
Token: SeBackupPrivilege	4984	NewX.vmp.exe
Token: SeCreatePagefilePrivilege	4984	NewX.vmp.exe
Token: SeShutdownPrivilege	4984	NewX.vmp.exe
Token: SeRestorePrivilege	4984	NewX.vmp.exe
Token: 33	4984	NewX.vmp.exe
Token: SeIncBasePriorityPrivilege	4984	NewX.vmp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NewX.vmp.exe

pid process

4984 NewX.vmp.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

NewX.vmp.exeLogonUI.exe

pid process

4984 NewX.vmp.exe
1956 LogonUI.exe

pid	process
4984	NewX.vmp.exe

pid	process
4984	NewX.vmp.exe
1956	LogonUI.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

BYPASSFIVEM.exeNewX.exe

description	pid	process	target process
PID 4448 wrote to memory of 4984	4448	BYPASSFIVEM.exe	NewX.vmp.exe
PID 4448 wrote to memory of 4984	4448	BYPASSFIVEM.exe	NewX.vmp.exe
PID 4448 wrote to memory of 868	4448	BYPASSFIVEM.exe	NewX.exe
PID 4448 wrote to memory of 868	4448	BYPASSFIVEM.exe	NewX.exe
PID 4448 wrote to memory of 868	4448	BYPASSFIVEM.exe	NewX.exe
PID 868 wrote to memory of 2120	868	NewX.exe	ducservice.exe
PID 868 wrote to memory of 2120	868	NewX.exe	ducservice.exe
PID 868 wrote to memory of 2120	868	NewX.exe	ducservice.exe
PID 4448 wrote to memory of 3344	4448	BYPASSFIVEM.exe	Server.exe
PID 4448 wrote to memory of 3344	4448	BYPASSFIVEM.exe	Server.exe
PID 4448 wrote to memory of 3344	4448	BYPASSFIVEM.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\BYPASSFIVEM.exe
"C:\Users\Admin\AppData\Local\Temp\BYPASSFIVEM.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.vmp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.vmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Roaming\ducservice.exe
"C:\Users\Admin\AppData\Roaming\ducservice.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2120

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
2⤵
- Executes dropped EXE
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.exe
Filesize
18KB

MD5
04e8a7b1a3a658cb5d8041542195075a

SHA1
22bf6e551c2c0279d2d0bc41a68f378c71b2d8f0

SHA256
0288572315915db261182f65784eb05ffdc4edb9774c88f68b085362dfad19b3

SHA512
4082e953b0dc9be718283c0cb295bb218d1df5f15712f7a488f426f8b8e24ee1a2b67b30d80e52eba3bc5116b04589113c655ee92f4da73039dec325cbe13d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.vmp.exe
Filesize
10.1MB

MD5
410912bf0fb6f35648644fe15f0db3fd

SHA1
6e2d57b868372e22b318e79a2bd6da4c2902e75e

SHA256
e8220c82de5497eecd9b6a92210d6dbac2e1f0b17dc18ef81cbdafbd61a376da

SHA512
9b3966a2300682f84d3fe41958943c3dbf2b73a8209ee749338a76bf60f240367fa185cb5c80570dca2d539c2e2c7546a462e2b72c3be2887e16253895841c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
Filesize
93KB

MD5
fda77b550950991faf74d80e6ef7ed20

SHA1
983abb7b99755fd927640927394ffeba9b7a958c

SHA256
bda9b19762eaa3c07bf6e1e4730644f94ef4b837a6d5e60b730ef88913e4dd29

SHA512
a12d17c808a9e5d39e2a5731b04c30208026df0eab902ebb2912c78ddf8a90b082edce773c5f13ba79dc51da36f5fb0ee33cccc645938d967caa815d508d487e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lua53-64.dll
Filesize
528KB

MD5
b7c9f1e7e640f1a034be84af86970d45

SHA1
f795dc3d781b9578a96c92658b9f95806fc9bdde

SHA256
6d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff

SHA512
da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{39D8FB89-7D81-4BA6-A552-C314F56ABC71}\ADDRESSES.TMP
Filesize
37KB

MD5
d2d742f0546b927faabeda1e684ca0c3

SHA1
95c6d1f339a46c1feebe2efbb69bc0891ad41f3a

SHA256
372ef3aa04a2880b5e1afe99c22b2d7e23974f6e565f94192319b032b4422826

SHA512
dd533242be1a487ee8496b72ba1f27bd596eda0a788adad6270c3631be082557d6de24f07e95f9840886957107df1c5e359cf8f5d2e4f920f696a58e4b3a07db

Download Submit
C:\Users\Admin\AppData\Local\Temp\{39D8FB89-7D81-4BA6-A552-C314F56ABC71}\MEMORY.FIRST
Filesize
18KB

MD5
a9c85774e694145d8ae0b76a7172cab9

SHA1
b04c5e62e7ae824da0b3ec8d56c753d7d5d64f79

SHA256
504fdb8f653bb0dbe3710228a912080876da9bbd2236d788fa4a20a3b061397d

SHA512
41977aeea8d591022f7983669b15685a82cb3db039b5ca0d8ce97e30cdd79b8e0617032e212068ebfb4084510af49657f25ecfc0dce444068be284ff32fa21db

Download Submit
memory/868-90-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/868-81-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2120-93-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4984-23-0x00007FFEB2B30000-0x00007FFEB2B32000-memory.dmp

Filesize
8KB

Download
memory/4984-28-0x0000000000400000-0x00000000020DA000-memory.dmp

Filesize
28.9MB

Download
memory/4984-27-0x00007FFEB2D90000-0x00007FFEB2D92000-memory.dmp

Filesize
8KB

Download
memory/4984-26-0x00007FFEB0930000-0x00007FFEB0932000-memory.dmp

Filesize
8KB

Download
memory/4984-43-0x0000000007B60000-0x0000000007BE3000-memory.dmp

Filesize
524KB

Download
memory/4984-25-0x00007FFEB0920000-0x00007FFEB0922000-memory.dmp

Filesize
8KB

Download
memory/4984-24-0x00007FFEB2B40000-0x00007FFEB2B42000-memory.dmp

Filesize
8KB

Download
memory/4984-64-0x00000000013A6000-0x00000000016C5000-memory.dmp

Filesize
3.1MB

Download
memory/4984-78-0x0000000007B60000-0x0000000007BE3000-memory.dmp

Filesize
524KB

Download
memory/4984-79-0x00000000013A6000-0x00000000016C5000-memory.dmp

Filesize
3.1MB

Download
memory/4984-22-0x00007FFEB2D80000-0x00007FFEB2D82000-memory.dmp

Filesize
8KB

Download
memory/4984-21-0x00007FFEB2D70000-0x00007FFEB2D72000-memory.dmp

Filesize
8KB

Download
memory/4984-20-0x00000000013A6000-0x00000000016C5000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads