warzonerat | 9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b

Analysis

max time kernel
143s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
Size

5.7MB
MD5

5a2964a93da5e8a9726ab479814f012d
SHA1

bb2599555ca21395946f4d0d828f6c78394d18c2
SHA256

9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b
SHA512

889e00f04115e71e763381bee25eee66e37cc304e874c1bcbc1aa23f63ee40299e81c760296cf78b3a8159ee5327a10434759ad099a61c0496e0b0d4d3beef08
SSDEEP

98304:pv8upB6APFAYS8ILk65Hxp44MVghKrVy+dr5/FtqvGo4T:18upg+GYCkf4qg4h/FQvGo

Score

10^/10

warzonerat discovery infostealer macro persistence rat

Malware Config

Extracted

Family

warzonerat

victorybelng.ddns.net:13900

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 13 IoCs

rat

resource	yara_rule
behavioral1/memory/2672-15-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2672-13-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2672-11-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2672-8-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2880-37-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/2880-38-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/2880-36-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/2880-35-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/files/0x0009000000017292-50.dat	warzonerat
behavioral1/memory/2880-65-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/1868-82-0x0000000000AD0000-0x0000000000EEC000-memory.dmp	warzonerat
behavioral1/memory/1868-78-0x0000000000AD0000-0x0000000000EEC000-memory.dmp	warzonerat
behavioral1/memory/1868-86-0x0000000000AD0000-0x0000000000EEC000-memory.dmp	warzonerat

Suspicious Office macro 4 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0005000000019526-160.dat
behavioral1/files/0x0006000000019553-173.dat
behavioral1/files/0x0007000000019526-184.dat
behavioral1/files/0x0006000000019557-197.dat

Executes dropped EXE 5 IoCs

pid	Process
2888	._cache_9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
2636	Synaptics.exe
1868	Synaptics.exe
1984	Synaptics.exe
1376	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
1984	Synaptics.exe
1984	Synaptics.exe
1984	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1528 set thread context of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 2672 set thread context of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2636 set thread context of 1868	2636	Synaptics.exe	34
PID 1868 set thread context of 1984	1868	Synaptics.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2628	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2628	EXCEL.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 1528 wrote to memory of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 1528 wrote to memory of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 1528 wrote to memory of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 1528 wrote to memory of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 1528 wrote to memory of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 1528 wrote to memory of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 1528 wrote to memory of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 1528 wrote to memory of 2672	1528	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	30
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2672 wrote to memory of 2880	2672	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	31
PID 2880 wrote to memory of 2888	2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	32
PID 2880 wrote to memory of 2888	2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	32
PID 2880 wrote to memory of 2888	2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	32
PID 2880 wrote to memory of 2888	2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	32
PID 2880 wrote to memory of 2636	2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	33
PID 2880 wrote to memory of 2636	2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	33
PID 2880 wrote to memory of 2636	2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	33
PID 2880 wrote to memory of 2636	2880	9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe	33
PID 2636 wrote to memory of 1868	2636	Synaptics.exe	34
PID 2636 wrote to memory of 1868	2636	Synaptics.exe	34
PID 2636 wrote to memory of 1868	2636	Synaptics.exe	34
PID 2636 wrote to memory of 1868	2636	Synaptics.exe	34
PID 2636 wrote to memory of 1868	2636	Synaptics.exe	34
PID 2636 wrote to memory of 1868	2636	Synaptics.exe	34
PID 2636 wrote to memory of 1868	2636	Synaptics.exe	34
PID 2636 wrote to memory of 1868	2636	Synaptics.exe	34
PID 2636 wrote to memory of 1868	2636	Synaptics.exe	34
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1868 wrote to memory of 1984	1868	Synaptics.exe	35
PID 1984 wrote to memory of 1376	1984	Synaptics.exe	36
PID 1984 wrote to memory of 1376	1984	Synaptics.exe	36
PID 1984 wrote to memory of 1376	1984	Synaptics.exe	36
PID 1984 wrote to memory of 1376	1984	Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
"C:\Users\Admin\AppData\Local\Temp\9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
  "C:\Users\Admin\AppData\Local\Temp\9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
    "C:\Users\Admin\AppData\Local\Temp\9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\._cache_9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2888
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.7MB

MD5
5a2964a93da5e8a9726ab479814f012d

SHA1
bb2599555ca21395946f4d0d828f6c78394d18c2

SHA256
9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b

SHA512
889e00f04115e71e763381bee25eee66e37cc304e874c1bcbc1aa23f63ee40299e81c760296cf78b3a8159ee5327a10434759ad099a61c0496e0b0d4d3beef08

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b.exe

Filesize
132KB

MD5
ea15890b9eca7ebe540e1ebcdbd0ce5a

SHA1
4536ad88bcac07f6cba0c8cc300a0b333c0a6c45

SHA256
9b8556cccc608749131c32f145cdb6dcfaa5b0ec5304b597bab65a6cb5cb65f8

SHA512
8d1545991d8413ff57effce63208b81d2a2afea6126e62d7c71eca02d227d4417d141b008b42d30ea3fa7b999eed0b8de5734e4ab6d939623d6497fd56742f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YcHo1xl.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YcHo1xl.xlsm

Filesize
21KB

MD5
d13f8adb6a09661bcdc7fabd7dfd83b4

SHA1
2a3646313fcf6162edb976968a2ac96df1cd82db

SHA256
6bde4fad53b518ced398e5517aaca0ac4e75df9d1d3db55515605bbffb93918e

SHA512
6d2999e3c9a604c76d3bb6a829e76bafcdb6e3e40153520c0e4c00e5373e7b2337cd3c8e18e85b2f957e98ac0e5f3187f50e54901a4f18f1521129266b8ec8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YcHo1xl.xlsm

Filesize
22KB

MD5
ca5c48c4f0b79eb95f0e5325a4d09bcd

SHA1
12f3f798c8f7ac65a884980629603ec05821fda4

SHA256
e5a2680db484abae20746f0614bb80a224f4256a338aef2cc4300845c2543473

SHA512
7d37cabb52c2212aab788c957380005134cdacdf3f514408f947f55a00b1816f9e6c8819d694491a55076c0fd8e3d05c3a067c1e2bf3ea7b4b063edf0a2928c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YcHo1xl.xlsm

Filesize
26KB

MD5
d1578a26ab15b21d139fc760c8fce332

SHA1
e582f8659ae3fb22b805007a15bdd7092c98ce03

SHA256
439337fb0694ff97419b8162ffbfc126469e84c94e22de88e63fe4ec149a2707

SHA512
e74a23a05d83ed0fa932df5e130e8ea28da3ca265705d3a2deab9b90834d4310d74dde00eef45bf04232e7926578b942b682518c0f03ff588742999bbdc7ab32

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YcHo1xl.xlsm

Filesize
24KB

MD5
2f1fa07d48f26411f3feeba54524e6a7

SHA1
1f6279823f579e04544ca9909d43b09923805def

SHA256
655fd421dfd4eea961e52c24149f5cf0e3d4588c5a4769be2fc2df6add5ac29b

SHA512
c6cab7fe88077108d1bcb22dd2409ef6cc168cfcf2167f54d9f40f5f18f83717546f1c44c5c42081e67ecb4eaa44be64d0fcba414af4304348d6df807accbb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$3YcHo1xl.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/1528-4-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/1528-42-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/1528-3-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/1528-0-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/1528-2-0x00000000053F0000-0x000000000583A000-memory.dmp

Filesize
4.3MB

Download
memory/1528-1-0x00000000011D0000-0x0000000001784000-memory.dmp

Filesize
5.7MB

Download
memory/1868-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1868-86-0x0000000000AD0000-0x0000000000EEC000-memory.dmp

Filesize
4.1MB

Download
memory/1868-78-0x0000000000AD0000-0x0000000000EEC000-memory.dmp

Filesize
4.1MB

Download
memory/1868-82-0x0000000000AD0000-0x0000000000EEC000-memory.dmp

Filesize
4.1MB

Download
memory/2636-67-0x0000000000320000-0x00000000008D4000-memory.dmp

Filesize
5.7MB

Download
memory/2672-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-17-0x0000000005070000-0x0000000005182000-memory.dmp

Filesize
1.1MB

Download
memory/2672-7-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2672-5-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2672-15-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2672-16-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-13-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2672-11-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2672-8-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2672-6-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2672-18-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-41-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2880-25-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-65-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-37-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-38-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-19-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-21-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-23-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-36-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-27-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-29-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-31-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2880-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-35-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads