warzonerat | e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6

Analysis

max time kernel
135s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
Size

9.4MB
MD5

90b9800403b05be03449aed0424cadf4
SHA1

bd2e5f87e78984a6f6d9cfecda5b139941731a2a
SHA256

e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6
SHA512

2f337f57985927fba9f7a149fb3d18179e93ced98cc36b143e5532b9eaae924a6148a95aab0028bd9c23a514b83a0cb72ca78d271c24dd6626714ae168f6adc6
SSDEEP

196608:08upg+GYCkf4qg4h/FQvGS8upg+GYCkf4qg4h/FQvG:0tgb4d/SvGStgb4d/SvG

Score

10^/10

warzonerat discovery infostealer macro persistence rat

Malware Config

Extracted

Family

warzonerat

victorybelng.ddns.net:13900

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 13 IoCs

rat

resource	yara_rule
behavioral1/memory/2412-23-0x0000000000D50000-0x000000000116C000-memory.dmp	warzonerat
behavioral1/memory/2412-20-0x0000000000D50000-0x000000000116C000-memory.dmp	warzonerat
behavioral1/memory/2412-16-0x0000000000D50000-0x000000000116C000-memory.dmp	warzonerat
behavioral1/memory/2412-11-0x0000000000D50000-0x000000000116C000-memory.dmp	warzonerat
behavioral1/memory/2412-15-0x0000000000D50000-0x000000000116C000-memory.dmp	warzonerat
behavioral1/memory/796-50-0x0000000000150000-0x0000000000233000-memory.dmp	warzonerat
behavioral1/memory/796-49-0x0000000000150000-0x0000000000233000-memory.dmp	warzonerat
behavioral1/memory/796-45-0x0000000000150000-0x0000000000233000-memory.dmp	warzonerat
behavioral1/memory/796-41-0x0000000000150000-0x0000000000233000-memory.dmp	warzonerat
behavioral1/files/0x0009000000017429-61.dat	warzonerat
behavioral1/memory/2592-92-0x0000000000B40000-0x0000000000F5C000-memory.dmp	warzonerat
behavioral1/memory/2592-95-0x0000000000B40000-0x0000000000F5C000-memory.dmp	warzonerat
behavioral1/memory/2592-88-0x0000000000B40000-0x0000000000F5C000-memory.dmp	warzonerat

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0006000000019cd5-182.dat

Executes dropped EXE 5 IoCs

pid	Process
2692	._cache_e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
2920	Synaptics.exe
2592	Synaptics.exe
852	Synaptics.exe
2056	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
852	Synaptics.exe
852	Synaptics.exe
852	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 2412 set thread context of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2920 set thread context of 2592	2920	Synaptics.exe	34
PID 2592 set thread context of 852	2592	Synaptics.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
352	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
352	EXCEL.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 1244 wrote to memory of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 1244 wrote to memory of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 1244 wrote to memory of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 1244 wrote to memory of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 1244 wrote to memory of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 1244 wrote to memory of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 1244 wrote to memory of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 1244 wrote to memory of 2412	1244	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	30
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 2412 wrote to memory of 796	2412	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	31
PID 796 wrote to memory of 2692	796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	32
PID 796 wrote to memory of 2692	796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	32
PID 796 wrote to memory of 2692	796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	32
PID 796 wrote to memory of 2692	796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	32
PID 796 wrote to memory of 2920	796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	33
PID 796 wrote to memory of 2920	796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	33
PID 796 wrote to memory of 2920	796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	33
PID 796 wrote to memory of 2920	796	e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe	33
PID 2920 wrote to memory of 2592	2920	Synaptics.exe	34
PID 2920 wrote to memory of 2592	2920	Synaptics.exe	34
PID 2920 wrote to memory of 2592	2920	Synaptics.exe	34
PID 2920 wrote to memory of 2592	2920	Synaptics.exe	34
PID 2920 wrote to memory of 2592	2920	Synaptics.exe	34
PID 2920 wrote to memory of 2592	2920	Synaptics.exe	34
PID 2920 wrote to memory of 2592	2920	Synaptics.exe	34
PID 2920 wrote to memory of 2592	2920	Synaptics.exe	34
PID 2920 wrote to memory of 2592	2920	Synaptics.exe	34
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 2592 wrote to memory of 852	2592	Synaptics.exe	35
PID 852 wrote to memory of 2056	852	Synaptics.exe	36
PID 852 wrote to memory of 2056	852	Synaptics.exe	36
PID 852 wrote to memory of 2056	852	Synaptics.exe	36
PID 852 wrote to memory of 2056	852	Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
"C:\Users\Admin\AppData\Local\Temp\e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
  "C:\Users\Admin\AppData\Local\Temp\e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
    "C:\Users\Admin\AppData\Local\Temp\e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\._cache_e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2692
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
9.4MB

MD5
90b9800403b05be03449aed0424cadf4

SHA1
bd2e5f87e78984a6f6d9cfecda5b139941731a2a

SHA256
e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6

SHA512
2f337f57985927fba9f7a149fb3d18179e93ced98cc36b143e5532b9eaae924a6148a95aab0028bd9c23a514b83a0cb72ca78d271c24dd6626714ae168f6adc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6.exe

Filesize
132KB

MD5
ea15890b9eca7ebe540e1ebcdbd0ce5a

SHA1
4536ad88bcac07f6cba0c8cc300a0b333c0a6c45

SHA256
9b8556cccc608749131c32f145cdb6dcfaa5b0ec5304b597bab65a6cb5cb65f8

SHA512
8d1545991d8413ff57effce63208b81d2a2afea6126e62d7c71eca02d227d4417d141b008b42d30ea3fa7b999eed0b8de5734e4ab6d939623d6497fd56742f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\bJgPmApZ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\bJgPmApZ.xlsm

Filesize
20KB

MD5
f9d9fa91673cfb65a97b05080ccad49e

SHA1
c95ffb449af4e0dccc76a2545ac8d1d6a7a0f50d

SHA256
e5289b514b4e1d6b3c3023050aefa6604c79f2cffe65e2e825e37d375a6c9766

SHA512
b7b380d8d7419f0ea5927c06cd02464aa679d44b00e4d1d06ad24faa439b626715cbaf1db014c06034bd54517ad1135a92c9768b88e096022e6312fe806cf948

Download Submit
C:\Users\Admin\AppData\Local\Temp\bJgPmApZ.xlsm

Filesize
24KB

MD5
ac32df529867492cc554af3b1fad9905

SHA1
8a4007e07d332faef9dd138d1a23d8c2781e10ff

SHA256
9cb5ab5f5de0f0b6910ed177d2588931106e5bf78ab7f5aa42ed002432172f97

SHA512
039b3bdcc5e30cd7933d73d2764bd184c9d699ae859c65328f1378c7d88417c5f1cea8e426aab1d18b73aaedb4100d7ee8bb5c1d912bada64e8dc6317e8962f5

Download Submit
memory/796-37-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-49-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-27-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-29-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-30-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-31-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-33-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-35-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-41-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-45-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/796-50-0x0000000000150000-0x0000000000233000-memory.dmp

Filesize
908KB

Download
memory/1244-4-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/1244-3-0x0000000005660000-0x0000000005AAA000-memory.dmp

Filesize
4.3MB

Download
memory/1244-192-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1244-1-0x00000000003E0000-0x0000000000D4C000-memory.dmp

Filesize
9.4MB

Download
memory/1244-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/1244-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-7-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download
memory/2412-6-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download
memory/2412-11-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download
memory/2412-16-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download
memory/2412-20-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download
memory/2412-26-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-24-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-51-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-23-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download
memory/2412-25-0x0000000005A30000-0x0000000005B42000-memory.dmp

Filesize
1.1MB

Download
memory/2412-10-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download
memory/2412-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2412-15-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download
memory/2592-88-0x0000000000B40000-0x0000000000F5C000-memory.dmp

Filesize
4.1MB

Download
memory/2592-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-96-0x0000000005910000-0x0000000005A22000-memory.dmp

Filesize
1.1MB

Download
memory/2592-95-0x0000000000B40000-0x0000000000F5C000-memory.dmp

Filesize
4.1MB

Download
memory/2592-92-0x0000000000B40000-0x0000000000F5C000-memory.dmp

Filesize
4.1MB

Download
memory/2920-77-0x0000000000050000-0x00000000009BC000-memory.dmp

Filesize
9.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads