warzonerat | ba5bda3a3bae477c9975bedcbbbc95d0d0f974d15363efe10c4c96b41a62b68e

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Size

12.6MB
MD5

080cb568ad618c933f5f93d628f3d1f7
SHA1

fa8a2680b0bf53db66c2e7a4a067b2c7188d92c8
SHA256

ba5bda3a3bae477c9975bedcbbbc95d0d0f974d15363efe10c4c96b41a62b68e
SHA512

9744d1af4eb85280947d97fd40d3f2eaca91e2b59d74eaf4733de0760a609798e6028557fa9515317c43df08e8c8fac9d20e321dfaf223c0eec340bcc495d082
SSDEEP

196608:58upg+GYCkf4qg4h/FQvGy8upg+GYCkf4qg4h/FQvGvpFvqcA:5tgb4d/SvGytgb4d/SvGj

Score

10^/10

warzonerat xred backdoor discovery infostealer macro persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Warzone RAT payload 13 IoCs

rat

resource	yara_rule
behavioral1/memory/2392-10-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2392-17-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2392-15-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/2392-14-0x0000000000400000-0x000000000081C000-memory.dmp	warzonerat
behavioral1/memory/3024-39-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/3024-38-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/3024-37-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/3024-41-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/files/0x0008000000015d0e-48.dat	warzonerat
behavioral1/memory/3024-66-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral1/memory/1912-84-0x0000000000430000-0x000000000084C000-memory.dmp	warzonerat
behavioral1/memory/1912-80-0x0000000000430000-0x000000000084C000-memory.dmp	warzonerat
behavioral1/memory/1912-88-0x0000000000430000-0x000000000084C000-memory.dmp	warzonerat

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0008000000016d54-186.dat
behavioral1/files/0x0007000000016d6b-199.dat
behavioral1/files/0x000a000000016d54-210.dat

Executes dropped EXE 5 IoCs

pid	Process
2728	._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
2692	Synaptics.exe
1912	Synaptics.exe
2152	Synaptics.exe
2040	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
2152	Synaptics.exe
2152	Synaptics.exe
2152	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2392 set thread context of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2692 set thread context of 1912	2692	Synaptics.exe	34
PID 1912 set thread context of 2152	1912	Synaptics.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2324	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	EXCEL.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2132 wrote to memory of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2132 wrote to memory of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2132 wrote to memory of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2132 wrote to memory of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2132 wrote to memory of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2132 wrote to memory of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2132 wrote to memory of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2132 wrote to memory of 2392	2132	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	30
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 2392 wrote to memory of 3024	2392	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	31
PID 3024 wrote to memory of 2728	3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	32
PID 3024 wrote to memory of 2728	3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	32
PID 3024 wrote to memory of 2728	3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	32
PID 3024 wrote to memory of 2728	3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	32
PID 3024 wrote to memory of 2692	3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	33
PID 3024 wrote to memory of 2692	3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	33
PID 3024 wrote to memory of 2692	3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	33
PID 3024 wrote to memory of 2692	3024	2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe	33
PID 2692 wrote to memory of 1912	2692	Synaptics.exe	34
PID 2692 wrote to memory of 1912	2692	Synaptics.exe	34
PID 2692 wrote to memory of 1912	2692	Synaptics.exe	34
PID 2692 wrote to memory of 1912	2692	Synaptics.exe	34
PID 2692 wrote to memory of 1912	2692	Synaptics.exe	34
PID 2692 wrote to memory of 1912	2692	Synaptics.exe	34
PID 2692 wrote to memory of 1912	2692	Synaptics.exe	34
PID 2692 wrote to memory of 1912	2692	Synaptics.exe	34
PID 2692 wrote to memory of 1912	2692	Synaptics.exe	34
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 1912 wrote to memory of 2152	1912	Synaptics.exe	35
PID 2152 wrote to memory of 2040	2152	Synaptics.exe	36
PID 2152 wrote to memory of 2040	2152	Synaptics.exe	36
PID 2152 wrote to memory of 2040	2152	Synaptics.exe	36
PID 2152 wrote to memory of 2040	2152	Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2728
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
12.6MB

MD5
080cb568ad618c933f5f93d628f3d1f7

SHA1
fa8a2680b0bf53db66c2e7a4a067b2c7188d92c8

SHA256
ba5bda3a3bae477c9975bedcbbbc95d0d0f974d15363efe10c4c96b41a62b68e

SHA512
9744d1af4eb85280947d97fd40d3f2eaca91e2b59d74eaf4733de0760a609798e6028557fa9515317c43df08e8c8fac9d20e321dfaf223c0eec340bcc495d082

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-03_080cb568ad618c933f5f93d628f3d1f7_luca-stealer_magniber.exe

Filesize
132KB

MD5
ea15890b9eca7ebe540e1ebcdbd0ce5a

SHA1
4536ad88bcac07f6cba0c8cc300a0b333c0a6c45

SHA256
9b8556cccc608749131c32f145cdb6dcfaa5b0ec5304b597bab65a6cb5cb65f8

SHA512
8d1545991d8413ff57effce63208b81d2a2afea6126e62d7c71eca02d227d4417d141b008b42d30ea3fa7b999eed0b8de5734e4ab6d939623d6497fd56742f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiBL3WEw.xlsm

Filesize
21KB

MD5
57b38a1837b742b098de00f682e39175

SHA1
6f87fc136f4d683888d7d2a8926ca9e4782f1040

SHA256
b61553553f5d63e1db7c9393034df6c9a1958d5a1c7c3eca0cc480e962935006

SHA512
9de261734a6d508aeead54685a9b002c2e135d5a2e19f1a1edac824fe0a6533e7bb8ea129c0fd092d24bf0cbcdc5855acd151006a06ef9ddaf2585914acd9bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiBL3WEw.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiBL3WEw.xlsm

Filesize
25KB

MD5
5657e29f7ebb787e4f9c20fa56f0be90

SHA1
6e629da4146018ea4669edc68bcf315a09f85a4a

SHA256
c8c2c618abf62b83ab0dbf80bcc8d970e3a19fce08854451a265325065416ac7

SHA512
5bef8378ed9e892f019fc17471bca888e4af050d7c7393296afb88433d70063aec8f47056b502884da3556ca65ace3ef89e4ad3ee9f971c82b015992df8f0d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiBL3WEw.xlsm

Filesize
23KB

MD5
6b41db6804426e2caadcd4866064fb13

SHA1
ca3c4fda2c018b1d357d5a2cec1632c471061323

SHA256
c2f1b8ad20e49d8e01f4ce01157a847f72d099d76a30a119a43d059c9b7639e3

SHA512
311bb9356e559bd07ae77094238d4d99ee5b1b79674ea2e9a4d29ed93eba0247a804413a590faac1e669bcf3fce92f4bab18484ad3d956a432627cd7d9a2d57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiBL3WEw.xlsm

Filesize
21KB

MD5
9358a49ca56785631fedcf30c5d7d4d2

SHA1
f7e232d9d78f906954cd68e67665c94d0b7488c8

SHA256
0c9e6739b1a3f2bef9ba48655a8dfe25d417e506e9575c6e5ab4fba3df719fab

SHA512
80ecf47a0641160551f5447d46426a3f47a26771904bcb2f97f7c83fda7cef78a4098143a550ceed8284ffa37588712fdd928ee26314a9560e697291380aedc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiBL3WEw.xlsm

Filesize
26KB

MD5
f7e1ebf9ae8161fe5fd5d8560616cfd7

SHA1
fd7848169088e687a3a962839a8a1962bbf6037e

SHA256
38bdfea7ce8892e3ee8dbfb790f69e3fa7466538be7d6072a845007288610f90

SHA512
5708731c749c33b3773dcef7f19c5aafb11cce7fb20417e863d27c7e7e064cdf136841d5e107cddb3267733867fdedad532d271fd4f11779d3e1a6c1aec69f25

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/1912-80-0x0000000000430000-0x000000000084C000-memory.dmp

Filesize
4.1MB

Download
memory/1912-88-0x0000000000430000-0x000000000084C000-memory.dmp

Filesize
4.1MB

Download
memory/1912-84-0x0000000000430000-0x000000000084C000-memory.dmp

Filesize
4.1MB

Download
memory/1912-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2132-4-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2132-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2132-3-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-2-0x0000000005CB0000-0x00000000060FA000-memory.dmp

Filesize
4.3MB

Download
memory/2132-217-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-1-0x0000000000BC0000-0x0000000001854000-memory.dmp

Filesize
12.6MB

Download
memory/2392-18-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-5-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2392-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2392-10-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2392-17-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2392-15-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2392-19-0x0000000005A50000-0x0000000005B62000-memory.dmp

Filesize
1.1MB

Download
memory/2392-20-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-40-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-14-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2392-9-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2392-7-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2692-68-0x00000000009B0000-0x0000000001644000-memory.dmp

Filesize
12.6MB

Download
memory/3024-41-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-21-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-23-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-66-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-39-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-38-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-37-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-25-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-27-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-29-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-31-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3024-33-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads