warzonerat | 99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7

General

Target

99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Size

52KB
MD5

1bd356bd20a2de1c53bc28104ee97d18
SHA1

a32e710ebd3613e65fa90bd8824995bbff83794e
SHA256

99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7
SHA512

6ff5deb8b34c24fdb5eaf7bfcf155d7afeddd553d61a9d61421f34fdabb6a8d0cd89c54ef0654d79988f4c52bf148ea85acdd409e2eada88636747ea0bd85fd8

Score

10^/10

warzonerat evasion infostealer rat trojan

Malware Config

Extracted

Family

warzonerat

C2

185.140.53.199:5200

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe	Nirsoft

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2340-154-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2340-153-0x0000000000400000-0x0000000000555000-memory.dmp	warzonerat
behavioral1/memory/2340-157-0x0000000000400000-0x0000000000555000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

376 AdvancedRun.exe
2300 AdvancedRun.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe = "0"	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

description	pid	process	target process
PID 1776 set thread context of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exe99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

pid	process
376	AdvancedRun.exe
376	AdvancedRun.exe
376	AdvancedRun.exe
376	AdvancedRun.exe
2300	AdvancedRun.exe
2300	AdvancedRun.exe
2300	AdvancedRun.exe
2300	AdvancedRun.exe
1884	powershell.exe
2904	powershell.exe
2904	powershell.exe
1884	powershell.exe
1884	powershell.exe
2904	powershell.exe
1208	powershell.exe
1208	powershell.exe
1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
1208	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
Token: SeDebugPrivilege	376	AdvancedRun.exe
Token: SeImpersonatePrivilege	376	AdvancedRun.exe
Token: SeDebugPrivilege	2300	AdvancedRun.exe
Token: SeImpersonatePrivilege	2300	AdvancedRun.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

pid process

2340 99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

pid	process
2340	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exeAdvancedRun.exe99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

description	pid	process	target process
PID 1776 wrote to memory of 376	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	AdvancedRun.exe
PID 1776 wrote to memory of 376	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	AdvancedRun.exe
PID 1776 wrote to memory of 376	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	AdvancedRun.exe
PID 376 wrote to memory of 2300	376	AdvancedRun.exe	AdvancedRun.exe
PID 376 wrote to memory of 2300	376	AdvancedRun.exe	AdvancedRun.exe
PID 376 wrote to memory of 2300	376	AdvancedRun.exe	AdvancedRun.exe
PID 1776 wrote to memory of 1884	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	powershell.exe
PID 1776 wrote to memory of 1884	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	powershell.exe
PID 1776 wrote to memory of 1884	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	powershell.exe
PID 1776 wrote to memory of 2904	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	powershell.exe
PID 1776 wrote to memory of 2904	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	powershell.exe
PID 1776 wrote to memory of 2904	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	powershell.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 1776 wrote to memory of 2340	1776	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
PID 2340 wrote to memory of 1208	2340	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	powershell.exe
PID 2340 wrote to memory of 1208	2340	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	powershell.exe
PID 2340 wrote to memory of 1208	2340	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	powershell.exe
PID 2340 wrote to memory of 1676	2340	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	cmd.exe
PID 2340 wrote to memory of 1676	2340	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	cmd.exe
PID 2340 wrote to memory of 1676	2340	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	cmd.exe
PID 2340 wrote to memory of 1676	2340	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	cmd.exe
PID 2340 wrote to memory of 1676	2340	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe

C:\Users\Admin\AppData\Local\Temp\99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
"C:\Users\Admin\AppData\Local\Temp\99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe"
1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1776

C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe" /SpecialRun 4101d8 376
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\AppData\Local\Temp\99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
C:\Users\Admin\AppData\Local\Temp\99132457ab16ed22ad2581ad07c1f4bbd07c4adcb12e39e74df9d150f13c84b7.exe
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Disabling Security Tools

4

T1089

Modify Registry

5

T1112

Bypass User Account Control

1

T1088

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
58803daab6186db272a15ed3774b83f1

SHA1
b92b7936e356b46865b55b03ecd063ebded84e47

SHA256
631217be0c3329a4a9ea39e192d08178d776fbf9d809a2783e8713f85b1b58f2

SHA512
19e7c1882a70f4891ef6fdddff498c7ac8614c25b55595a770f0c91fb80e13cc1a639c604db5233e6a5297deb8e49c744f67d444bb10179323b88909978fd344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ca72222f323e3bac707ea1675ba6b7a6

SHA1
bacefd0e7ff1d91e31a99c645535c98e56d898ac

SHA256
3cf430220eb0a4bf4d5da8c6bc56e58601ba74cd93b484e6e6088fdfef24a2bb

SHA512
19ef191692778ab77d98b912b9c5defc1b37e9b2cd3f761ba0cda532169c28f9ee957267243fab0bc910c1dac433fd51158a0f1780ff8b109cdd5a250c9bbf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4564dce6-35ca-4d0d-bb21-fee556a48820\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/376-122-0x0000000000000000-mapping.dmp

Download
memory/1208-214-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/1208-215-0x0000000006892000-0x0000000006893000-memory.dmp

Filesize
4KB

Download
memory/1208-184-0x0000000000000000-mapping.dmp

Download
memory/1208-341-0x000000007E690000-0x000000007E691000-memory.dmp

Filesize
4KB

Download
memory/1208-344-0x0000000006893000-0x0000000006894000-memory.dmp

Filesize
4KB

Download
memory/1676-218-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1676-189-0x0000000000000000-mapping.dmp

Download
memory/1776-121-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/1776-120-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/1776-119-0x0000000006320000-0x000000000639A000-memory.dmp

Filesize
488KB

Download
memory/1776-118-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/1776-117-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1776-115-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1884-197-0x000000007EE90000-0x000000007EE91000-memory.dmp

Filesize
4KB

Download
memory/1884-216-0x0000000000EB3000-0x0000000000EB4000-memory.dmp

Filesize
4KB

Download
memory/1884-143-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/1884-127-0x0000000000000000-mapping.dmp

Download
memory/1884-146-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1884-147-0x0000000000EB2000-0x0000000000EB3000-memory.dmp

Filesize
4KB

Download
memory/1884-129-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1884-131-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1884-151-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/1884-141-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/1884-135-0x0000000006D50000-0x0000000006D51000-memory.dmp

Filesize
4KB

Download
memory/1884-137-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/1884-139-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/1884-158-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2300-125-0x0000000000000000-mapping.dmp

Download
memory/2340-251-0x0000000003FC0000-0x00000000040FC000-memory.dmp

Filesize
1.2MB

Download
memory/2340-157-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2340-154-0x0000000000405CE2-mapping.dmp

Download
memory/2340-153-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2904-199-0x000000007FAA0000-0x000000007FAA1000-memory.dmp

Filesize
4KB

Download
memory/2904-217-0x0000000006BD3000-0x0000000006BD4000-memory.dmp

Filesize
4KB

Download
memory/2904-134-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2904-130-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/2904-187-0x0000000009030000-0x0000000009031000-memory.dmp

Filesize
4KB

Download
memory/2904-155-0x00000000082A0000-0x00000000082A1000-memory.dmp

Filesize
4KB

Download
memory/2904-132-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/2904-159-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/2904-149-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/2904-148-0x0000000006BD2000-0x0000000006BD3000-memory.dmp

Filesize
4KB

Download
memory/2904-128-0x0000000000000000-mapping.dmp

Download
memory/2904-145-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/2904-173-0x0000000009250000-0x0000000009283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads