warzonerat | ba5bda3a3bae477c9975bedcbbbc95d0d0f974d15363efe10c4c96b41a62b68e

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Size

12.6MB
MD5

080cb568ad618c933f5f93d628f3d1f7
SHA1

fa8a2680b0bf53db66c2e7a4a067b2c7188d92c8
SHA256

ba5bda3a3bae477c9975bedcbbbc95d0d0f974d15363efe10c4c96b41a62b68e
SHA512

9744d1af4eb85280947d97fd40d3f2eaca91e2b59d74eaf4733de0760a609798e6028557fa9515317c43df08e8c8fac9d20e321dfaf223c0eec340bcc495d082
SSDEEP

196608:58upg+GYCkf4qg4h/FQvGy8upg+GYCkf4qg4h/FQvGvpFvqcA:5tgb4d/SvGytgb4d/SvGj

Score

10^/10

warzonerat xred backdoor discovery infostealer macro persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Warzone RAT payload 13 IoCs

rat

resource	yara_rule
behavioral1/memory/2724-18-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2724-16-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2724-14-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2724-10-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2824-41-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/2824-42-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/2824-40-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/2824-39-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/files/0x002e000000019203-50.dat	warzonerat
behavioral1/memory/2824-68-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/296-90-0x0000000000460000-0x000000000087C000-memory.dmp	warzonerat
behavioral1/memory/296-87-0x0000000000460000-0x000000000087C000-memory.dmp	warzonerat
behavioral1/memory/296-83-0x0000000000460000-0x000000000087C000-memory.dmp	warzonerat

Suspicious Office macro 4 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000500000001952b-156.dat
behavioral1/files/0x000800000001952e-192.dat
behavioral1/files/0x000900000001952b-203.dat
behavioral1/files/0x0006000000019535-216.dat

Executes dropped EXE 5 IoCs

pid	Process
2452	._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
2948	Synaptics.exe
296	Synaptics.exe
2532	Synaptics.exe
1036	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
2948	Synaptics.exe
2532	Synaptics.exe
2532	Synaptics.exe
2532	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2724 set thread context of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2948 set thread context of 296	2948	Synaptics.exe	34
PID 296 set thread context of 2532	296	Synaptics.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2316	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2316	EXCEL.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2696 wrote to memory of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2696 wrote to memory of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2696 wrote to memory of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2696 wrote to memory of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2696 wrote to memory of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2696 wrote to memory of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2696 wrote to memory of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2696 wrote to memory of 2724	2696	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2724 wrote to memory of 2824	2724	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2824 wrote to memory of 2452	2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	32
PID 2824 wrote to memory of 2452	2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	32
PID 2824 wrote to memory of 2452	2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	32
PID 2824 wrote to memory of 2452	2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	32
PID 2824 wrote to memory of 2948	2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	33
PID 2824 wrote to memory of 2948	2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	33
PID 2824 wrote to memory of 2948	2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	33
PID 2824 wrote to memory of 2948	2824	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	33
PID 2948 wrote to memory of 296	2948	Synaptics.exe	34
PID 2948 wrote to memory of 296	2948	Synaptics.exe	34
PID 2948 wrote to memory of 296	2948	Synaptics.exe	34
PID 2948 wrote to memory of 296	2948	Synaptics.exe	34
PID 2948 wrote to memory of 296	2948	Synaptics.exe	34
PID 2948 wrote to memory of 296	2948	Synaptics.exe	34
PID 2948 wrote to memory of 296	2948	Synaptics.exe	34
PID 2948 wrote to memory of 296	2948	Synaptics.exe	34
PID 2948 wrote to memory of 296	2948	Synaptics.exe	34
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 296 wrote to memory of 2532	296	Synaptics.exe	35
PID 2532 wrote to memory of 1036	2532	Synaptics.exe	36
PID 2532 wrote to memory of 1036	2532	Synaptics.exe	36
PID 2532 wrote to memory of 1036	2532	Synaptics.exe	36
PID 2532 wrote to memory of 1036	2532	Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2452
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:296
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1036

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
12.6MB

MD5
080cb568ad618c933f5f93d628f3d1f7

SHA1
fa8a2680b0bf53db66c2e7a4a067b2c7188d92c8

SHA256
ba5bda3a3bae477c9975bedcbbbc95d0d0f974d15363efe10c4c96b41a62b68e

SHA512
9744d1af4eb85280947d97fd40d3f2eaca91e2b59d74eaf4733de0760a609798e6028557fa9515317c43df08e8c8fac9d20e321dfaf223c0eec340bcc495d082

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe

Filesize
132KB

MD5
ea15890b9eca7ebe540e1ebcdbd0ce5a

SHA1
4536ad88bcac07f6cba0c8cc300a0b333c0a6c45

SHA256
9b8556cccc608749131c32f145cdb6dcfaa5b0ec5304b597bab65a6cb5cb65f8

SHA512
8d1545991d8413ff57effce63208b81d2a2afea6126e62d7c71eca02d227d4417d141b008b42d30ea3fa7b999eed0b8de5734e4ab6d939623d6497fd56742f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahHyFIeA.xlsm

Filesize
21KB

MD5
84583030e140225576b3fc41a95f28da

SHA1
2900289bd1777ed7627830c3e90675a788557ddd

SHA256
61e3436fc90d0fb3bad245317873030518398a837fc89fad325c36d1c852fd97

SHA512
fb53d093f0c2d441f048d390d2a3517ea5c03c004a7fcfe46c57ce378468a31016b61423a6c99d4c5a815db17c984bc726ceed33155f4efb3363afb6c0032898

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahHyFIeA.xlsm

Filesize
25KB

MD5
6759925f98ba854746ffb0ba6f3e05dd

SHA1
62b33f52fbe21c237d6c69596d155e85d77ec75b

SHA256
65190e8a926a1f1e1235c05abf51ac43a56c07fa1263d3b79c2f71cb8f0b268d

SHA512
115872d2cfc99b78bcd3b206da088c9f178f601396f871a5137f3c24251cad1b16f65d941cb0edad91efc2fe34bbab17f1db8e686592b5264dc087ee82ecb76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahHyFIeA.xlsm

Filesize
27KB

MD5
5b386a451e64b8df315e83d49754755f

SHA1
850c131478dc7f7f20793b3f4d64e8b88fd2dcfb

SHA256
c76df48ab140d06ab4aa7a58cf58b196bbc4c89c79702323d511a785a559c2fd

SHA512
1c022f023655f8db60859b98bc63fa1b3a7238d74136e402948e9b48dae38d823a068277bddfba986153324196ee38e9a69ff129d53581e1358d0701f7ef4237

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahHyFIeA.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahHyFIeA.xlsm

Filesize
23KB

MD5
4f174f113eac4d5d446ab7b07e3dbe3c

SHA1
0e8e11e3d8f696040fdfc72ca2ce4263dd584c46

SHA256
00c5ad259cd6717fa44a4d80b4abb61a8198d3afd0a280125bd679290ea231cf

SHA512
e9665fa067f3e499aa10f56021b9cf50da4d465a4dfa2ca754bcda85d9c2cd05de42c1e517880502f25a2454cf90520c2b5bb45166c7f517d7c1c207c9104882

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahHyFIeA.xlsm

Filesize
26KB

MD5
7f46c3f1d543b0fe4b17275cf89064a3

SHA1
a89e2bb7425aadec44361a51820dc8db56fc2e0a

SHA256
10f9b5be919881c1dcda207583e7062ec2acb1f119c3518b6f0eac8b95f4147c

SHA512
460da8a35f2fe203e273b294cf98f9794beb55bafda3b57ecdd9a91ce1e95529ee836ec723cf310e74b715ac2a5e6ff7476e76e48096077ee4fbcc3f109f4b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahHyFIeA.xlsm

Filesize
29KB

MD5
04082661d6f233cffc66fcd5e839805f

SHA1
81319482b79fa45d45acc6d492e75deb537368fa

SHA256
1a464a473310e2c73563aad046defc85b57799d718126b2355e7f0e24e2680d1

SHA512
d06d9e2d2a2b367ba8120a568a8ad89ea10bd39ba631c39a1ad31256aec3cebf20c16f7470073230c8b5ede1ecb48ba22fdccc167e7bfff9f8a41147ae626ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahHyFIeA.xlsm

Filesize
25KB

MD5
2776028423bc000d0439b845eb34d72a

SHA1
9c4dc35c2b546713066a60be21f439781f02b7a2

SHA256
d7c9d82569ada2628b7383667ea81d6e3d1dc648ebecd68aa266d5983f653661

SHA512
bce844ffb1e10690c2def67504da24989a57f858ad8c3e3a42410f87d1f751e7382409637dc789b519d5f26239066251c8515a3010311d8f3eb1905e78a77751

Download Submit
C:\Users\Admin\Desktop\~$ConvertToBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/296-83-0x0000000000460000-0x000000000087C000-memory.dmp

Filesize
4.1MB

Download
memory/296-87-0x0000000000460000-0x000000000087C000-memory.dmp

Filesize
4.1MB

Download
memory/296-90-0x0000000000460000-0x000000000087C000-memory.dmp

Filesize
4.1MB

Download
memory/296-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-4-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2696-3-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-20-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-2-0x00000000058B0000-0x0000000005CFA000-memory.dmp

Filesize
4.3MB

Download
memory/2696-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2696-1-0x0000000000B10000-0x00000000017A4000-memory.dmp

Filesize
12.6MB

Download
memory/2724-10-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2724-22-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-5-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2724-18-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2724-45-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-19-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-21-0x0000000005C80000-0x0000000005D92000-memory.dmp

Filesize
1.1MB

Download
memory/2724-16-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2724-14-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2724-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-9-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2724-7-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2824-23-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-40-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-42-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-41-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-39-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-68-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-35-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-33-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-31-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-25-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-27-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2824-29-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2948-70-0x0000000001010000-0x0000000001CA4000-memory.dmp

Filesize
12.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads