warzonerat | b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334

General

Target

b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
Size

282KB
MD5

eb5005349713aa25ee7cfc2833786d56
SHA1

900d09d685fff9b690ca50b96b5ab77449f5623f
SHA256

b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334
SHA512

6926d989e716cd958a03a49c56679725dba11b30bfb3be20ea99bfe4d4449d4ac4aa202e2fc59a99f624635191a9581bc5d97d2d7ce2ca3d95259b5524fb0164

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

grace.adds-only.xyz:2323

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2560-129-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2560-130-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2560-136-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/4012-165-0x0000000005330000-0x000000000582E000-memory.dmp	warzonerat
behavioral1/memory/976-645-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/976-654-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

4012 images.exe
976 images.exe

pid	process
4012	images.exe
976	images.exe

Drops startup file 2 IoCs

Processes:

b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exeimages.exe

description	pid	process	target process
PID 2680 set thread context of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 4012 set thread context of 976	4012	images.exe	images.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3496 schtasks.exe
3712 schtasks.exe
NTFS ADS 1 IoCs

Processes:

b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe

description ioc process

File created C:\ProgramData:ApplicationData b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe

pid	process
3496	schtasks.exe
3712	schtasks.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exepowershell.exepowershell.exeimages.exepowershell.exepowershell.exe

pid	process
2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
3316	powershell.exe
3316	powershell.exe
1344	powershell.exe
3316	powershell.exe
1344	powershell.exe
1344	powershell.exe
4012	images.exe
4012	images.exe
3800	powershell.exe
3800	powershell.exe
3800	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exepowershell.exepowershell.exeimages.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	4012	images.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exeb9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exeimages.exeimages.exe

description	pid	process	target process
PID 2680 wrote to memory of 3316	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	powershell.exe
PID 2680 wrote to memory of 3316	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	powershell.exe
PID 2680 wrote to memory of 3316	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	powershell.exe
PID 2680 wrote to memory of 3496	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	schtasks.exe
PID 2680 wrote to memory of 3496	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	schtasks.exe
PID 2680 wrote to memory of 3496	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	schtasks.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2680 wrote to memory of 2560	2680	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
PID 2560 wrote to memory of 1344	2560	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	powershell.exe
PID 2560 wrote to memory of 1344	2560	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	powershell.exe
PID 2560 wrote to memory of 1344	2560	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	powershell.exe
PID 2560 wrote to memory of 4012	2560	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	images.exe
PID 2560 wrote to memory of 4012	2560	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	images.exe
PID 2560 wrote to memory of 4012	2560	b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe	images.exe
PID 4012 wrote to memory of 3800	4012	images.exe	powershell.exe
PID 4012 wrote to memory of 3800	4012	images.exe	powershell.exe
PID 4012 wrote to memory of 3800	4012	images.exe	powershell.exe
PID 4012 wrote to memory of 3712	4012	images.exe	schtasks.exe
PID 4012 wrote to memory of 3712	4012	images.exe	schtasks.exe
PID 4012 wrote to memory of 3712	4012	images.exe	schtasks.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 4012 wrote to memory of 976	4012	images.exe	images.exe
PID 976 wrote to memory of 3204	976	images.exe	powershell.exe
PID 976 wrote to memory of 3204	976	images.exe	powershell.exe
PID 976 wrote to memory of 3204	976	images.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
"C:\Users\Admin\AppData\Local\Temp\b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XoITdwhSekhT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7645.tmp"
2⤵
- Creates scheduled task(s)
PID:3496

C:\Users\Admin\AppData\Local\Temp\b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe
"C:\Users\Admin\AppData\Local\Temp\b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\images.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XoITdwhSekhT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28AD.tmp"
4⤵
- Creates scheduled task(s)
PID:3712

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\images.exe
MD5
eb5005349713aa25ee7cfc2833786d56

SHA1
900d09d685fff9b690ca50b96b5ab77449f5623f

SHA256
b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334

SHA512
6926d989e716cd958a03a49c56679725dba11b30bfb3be20ea99bfe4d4449d4ac4aa202e2fc59a99f624635191a9581bc5d97d2d7ce2ca3d95259b5524fb0164

Download Submit
C:\ProgramData\images.exe
MD5
eb5005349713aa25ee7cfc2833786d56

SHA1
900d09d685fff9b690ca50b96b5ab77449f5623f

SHA256
b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334

SHA512
6926d989e716cd958a03a49c56679725dba11b30bfb3be20ea99bfe4d4449d4ac4aa202e2fc59a99f624635191a9581bc5d97d2d7ce2ca3d95259b5524fb0164

Download Submit
C:\ProgramData\images.exe
MD5
eb5005349713aa25ee7cfc2833786d56

SHA1
900d09d685fff9b690ca50b96b5ab77449f5623f

SHA256
b9419a890ae732f44b4bbde7167aa6e559e912f8d1d7fa52fb9a70233efae334

SHA512
6926d989e716cd958a03a49c56679725dba11b30bfb3be20ea99bfe4d4449d4ac4aa202e2fc59a99f624635191a9581bc5d97d2d7ce2ca3d95259b5524fb0164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
059fd35747f4d509acdcaa9b9b06d0ac

SHA1
fcf23becff757d554f7beed316fe411afa391b34

SHA256
d7fe6a72ece82122d9cf3f86af4692ab735ea67e8ddffa00b103dc5c9ee2c3ee

SHA512
aea50637f1cf5c5c709eec85d5aac3bef6e353d679264c9e8327330c608eab762c8dd6fa9f6d5b6b854321dd5864772df71a70c789bc5322ede1e11023246a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9d6e710a30114e7a1a375659b3c5f3fe

SHA1
c96805c29bc0072534e2ca562ee00f88eb3d17d8

SHA256
73d0800bb37f2cc4c3dbe3a8e8a2b027a920017a15403bb827faa0a438c8aa23

SHA512
6a417915fb6620926abf452c398b1450117df80a6693c578e829039a72bf6133a656be57a9d6850f933c911817fffe8babe174ceee191d6a03a18659c1c0905c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9d6e710a30114e7a1a375659b3c5f3fe

SHA1
c96805c29bc0072534e2ca562ee00f88eb3d17d8

SHA256
73d0800bb37f2cc4c3dbe3a8e8a2b027a920017a15403bb827faa0a438c8aa23

SHA512
6a417915fb6620926abf452c398b1450117df80a6693c578e829039a72bf6133a656be57a9d6850f933c911817fffe8babe174ceee191d6a03a18659c1c0905c

Download Submit
memory/976-645-0x0000000000405CE2-mapping.dmp

Download
memory/976-654-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1344-149-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1344-163-0x0000000004E82000-0x0000000004E83000-memory.dmp

Filesize
4KB

Download
memory/1344-148-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1344-205-0x000000007F060000-0x000000007F061000-memory.dmp

Filesize
4KB

Download
memory/1344-162-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1344-169-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1344-141-0x0000000000000000-mapping.dmp

Download
memory/1344-229-0x0000000004E83000-0x0000000004E84000-memory.dmp

Filesize
4KB

Download
memory/2560-129-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2560-130-0x0000000000405CE2-mapping.dmp

Download
memory/2560-136-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2680-122-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/2680-119-0x0000000004A50000-0x0000000004F4E000-memory.dmp

Filesize
5.0MB

Download
memory/2680-115-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2680-118-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2680-123-0x0000000005820000-0x000000000585E000-memory.dmp

Filesize
248KB

Download
memory/2680-121-0x0000000004E10000-0x0000000004E17000-memory.dmp

Filesize
28KB

Download
memory/2680-120-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2680-117-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3204-685-0x0000000000000000-mapping.dmp

Download
memory/3204-746-0x0000000007232000-0x0000000007233000-memory.dmp

Filesize
4KB

Download
memory/3204-835-0x0000000007233000-0x0000000007234000-memory.dmp

Filesize
4KB

Download
memory/3204-789-0x000000007EE30000-0x000000007EE31000-memory.dmp

Filesize
4KB

Download
memory/3204-744-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/3316-135-0x0000000004232000-0x0000000004233000-memory.dmp

Filesize
4KB

Download
memory/3316-138-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/3316-166-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/3316-204-0x000000007E390000-0x000000007E391000-memory.dmp

Filesize
4KB

Download
memory/3316-176-0x0000000008D00000-0x0000000008D33000-memory.dmp

Filesize
204KB

Download
memory/3316-188-0x0000000008CE0000-0x0000000008CE1000-memory.dmp

Filesize
4KB

Download
memory/3316-145-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/3316-124-0x0000000000000000-mapping.dmp

Download
memory/3316-230-0x0000000004233000-0x0000000004234000-memory.dmp

Filesize
4KB

Download
memory/3316-140-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/3316-139-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/3316-131-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/3316-132-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/3316-125-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/3316-137-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/3316-133-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/3316-134-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/3316-126-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/3316-127-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/3496-128-0x0000000000000000-mapping.dmp

Download
memory/3712-643-0x0000000000000000-mapping.dmp

Download
memory/3800-642-0x0000000000000000-mapping.dmp

Download
memory/3800-693-0x0000000007133000-0x0000000007134000-memory.dmp

Filesize
4KB

Download
memory/3800-691-0x000000007FAF0000-0x000000007FAF1000-memory.dmp

Filesize
4KB

Download
memory/3800-657-0x0000000007132000-0x0000000007133000-memory.dmp

Filesize
4KB

Download
memory/3800-655-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/4012-165-0x0000000005330000-0x000000000582E000-memory.dmp

Filesize
5.0MB

Download
memory/4012-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads