warzonerat | 6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4

General

Target

6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
Size

603KB
MD5

473e257ef6b1e2336ed32ffb5d2abb35
SHA1

df1f9ca61f8233c9b555f02dd2a8c384a8971af0
SHA256

6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4
SHA512

e2958033617fcdacf1eb1f4553c6cb22841c7b3bfa4c48e3da8e3d726773dc474bc154178e97d8d8aa9890852495aadbe5b0559b77b335b45a57b693a6fe9938
SSDEEP

12288:t2iNjJS4V1JslzoOIK/aFcXFt0rCDKobXjjPwJkI61xLkR:t1XScEa2t0reXjTJRw

Score

10^/10

warzonerat execution infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

185.241.208.229:51997

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2444-34-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2444-33-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2444-31-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2444-29-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2444-26-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2444-24-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2444-34-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2444-33-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2444-31-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2444-29-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2444-26-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2444-24-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables embedding command execution via IExecuteCommand COM object 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2444-34-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral1/memory/2444-33-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral1/memory/2444-31-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral1/memory/2444-29-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral1/memory/2444-26-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral1/memory/2444-24-0x0000000000400000-0x000000000055A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2444-34-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2444-33-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2444-31-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2444-29-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2444-26-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2444-24-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2436 powershell.exe
1236 powershell.exe
2532 powershell.exe

pid	process
2436	powershell.exe
1236	powershell.exe
2532	powershell.exe

Drops startup file 2 IoCs

Processes:

6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe

description	pid	process	target process
PID 1400 set thread context of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2716 schtasks.exe

pid	process
2716	schtasks.exe

NTFS ADS 2 IoCs

Processes:

6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
File opened for modification	C:\Users\Admin\Documents\Documents:ApplicationData	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exepowershell.exepowershell.exepowershell.exe

pid	process
1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
2532	powershell.exe
2436	powershell.exe
1236	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe

description	pid	process	target process
PID 1400 wrote to memory of 2532	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 1400 wrote to memory of 2532	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 1400 wrote to memory of 2532	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 1400 wrote to memory of 2532	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 1400 wrote to memory of 2436	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 1400 wrote to memory of 2436	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 1400 wrote to memory of 2436	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 1400 wrote to memory of 2436	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 1400 wrote to memory of 2716	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	schtasks.exe
PID 1400 wrote to memory of 2716	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	schtasks.exe
PID 1400 wrote to memory of 2716	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	schtasks.exe
PID 1400 wrote to memory of 2716	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	schtasks.exe
PID 1400 wrote to memory of 2496	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2496	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2496	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2496	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2388	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2388	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2388	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2388	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 1400 wrote to memory of 2444	1400	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
PID 2444 wrote to memory of 1236	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 2444 wrote to memory of 1236	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 2444 wrote to memory of 1236	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 2444 wrote to memory of 1236	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	powershell.exe
PID 2444 wrote to memory of 2700	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	cmd.exe
PID 2444 wrote to memory of 2700	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	cmd.exe
PID 2444 wrote to memory of 2700	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	cmd.exe
PID 2444 wrote to memory of 2700	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	cmd.exe
PID 2444 wrote to memory of 2700	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	cmd.exe
PID 2444 wrote to memory of 2700	2444	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
"C:\Users\Admin\AppData\Local\Temp\6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HGVZdrCLBO.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HGVZdrCLBO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC61D.tmp"
2⤵
- Creates scheduled task(s)
PID:2716

C:\Users\Admin\AppData\Local\Temp\6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
"C:\Users\Admin\AppData\Local\Temp\6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe"
2⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
"C:\Users\Admin\AppData\Local\Temp\6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe"
2⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe
"C:\Users\Admin\AppData\Local\Temp\6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4.exe"
2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC61D.tmp

Filesize
1KB

MD5
04cdb5cc33e6f8a8b07514efc3dbefbf

SHA1
691e22a26ebbb0dcd5a32be796b630a7fd227107

SHA256
8c9ebad4fa86c3244f64b7abe149bde85bf1f70cd4b229c0e445d43b9d44045e

SHA512
6c48927e25a2b19e299b2baca0b646bd5f8c051592ccb7ae32e38aa1458a9f5c2cc3ffc9167d08656a6a750f175ec6b54c8115ee08377df10d85628f2dd918cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JJGSWYU57YFVQLW3K7D5.temp

Filesize
7KB

MD5
9ceb9cf4666558c55ea96f945f2c91fe

SHA1
6446ec2bed4abb1af1e98a76fc63601502675ad2

SHA256
00cd99e239790b0c5f0a8ee4e0c52f215c98354b81e88f1b794e4c7cc88b9a5b

SHA512
ae3e451ad71caa63f78ec2b86a30a6a350d7c374d4d722cf731c25ba0cdf0e8f3861be1dfd1110848da3dc8efae3a0efc725e1b44ca5bbcc235cc5583ce80183

Download Submit
memory/1400-35-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/1400-0-0x000000007439E000-0x000000007439F000-memory.dmp

Filesize
4KB

Download
memory/1400-4-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1400-5-0x0000000004EB0000-0x0000000004F18000-memory.dmp

Filesize
416KB

Download
memory/1400-2-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/1400-1-0x0000000000200000-0x000000000029A000-memory.dmp

Filesize
616KB

Download
memory/1400-3-0x0000000000370000-0x0000000000388000-memory.dmp

Filesize
96KB

Download
memory/2444-34-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2444-33-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2444-31-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2444-29-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2444-26-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2444-24-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2444-23-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2444-20-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2444-18-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2444-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-46-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2700-44-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads