discordrat | a968f7738c801b8528bb717d3928ee75523833a882bdbc4b03bdc6e8ad4cb41a

Resubmissions

14-05-2024 15:13

240514-slrmtacd97 10

01-02-2024 17:51

240201-we464sdear 10

01-02-2024 01:30

240201-bwx4xagdd5 10

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
Size

11.4MB
MD5

2f3b5b60129dc43350bc54e67d59a4ac
SHA1

08cdc5d4d0628c619897bf465f279f7d30d42b9f
SHA256

268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0
SHA512

725593bf2587bd1c2a8c5be02c168ad739010118f68606df1234a0aa1c31f582556a0139539f3068e7f174cd516956be608d05c6a597720138556a8a606fb749
SSDEEP

196608:+XeSEzpCQdLjv+bhqNVoB8Ck5c7GpNlpq41J2mrl0bk9qtlDfJpNZYXz:q4PL+9qz88Ck+7q3p91JNRqfg

Score

10^/10

discordrat quasar r3 persistence rat rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5ODg5OTYxNjc0MjEyNTYxOQ.GnQUlc.09G3jOrvsBUkj3tHkQPTbGic1sDnwN7xUFlV3o
server_id
1201324675507171409

Extracted

Family

quasar

Version

1.4.1

Botnet

96.42.209.236:1111

Mutex

fad4f0a7-8090-44d7-960d-b61c56ece71bz

Attributes

encryption_key
D280B26CAD37534E7E290E5D4BC1809E0C214936
install_name
Shadow.exe
log_directory
Logs
reconnect_delay
1
startup_key
Shadow
subdirectory
SubDir

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019e6f-73.dat	family_quasar
behavioral1/files/0x0005000000019e6f-94.dat	family_quasar
behavioral1/files/0x0005000000019e6f-93.dat	family_quasar
behavioral1/memory/2576-95-0x00000000013D0000-0x00000000016F4000-memory.dmp	family_quasar
behavioral1/files/0x000500000001a3eb-109.dat	family_quasar
behavioral1/files/0x000500000001a3eb-110.dat	family_quasar
behavioral1/files/0x000500000001a3eb-111.dat	family_quasar
behavioral1/memory/2912-113-0x0000000000100000-0x0000000000424000-memory.dmp	family_quasar

Executes dropped EXE 6 IoCs

pid	Process
2984	BUILT.EXE
2660	DIS.EXE
2624	BUILT.EXE
2576	P1.EXE
1240	Process not Found
2912	Shadow.exe

Loads dropped DLL 17 IoCs

pid	Process
1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
2984	BUILT.EXE
2624	BUILT.EXE
2624	BUILT.EXE
2624	BUILT.EXE
2624	BUILT.EXE
2624	BUILT.EXE
2624	BUILT.EXE
2624	BUILT.EXE
1240	Process not Found
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a032-89.dat	upx
behavioral1/files/0x000500000001a032-90.dat	upx
behavioral1/memory/2624-98-0x000007FEF5340000-0x000007FEF5A18000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Shadow.exe	P1.EXE
File opened for modification	C:\Windows\system32\SubDir\Shadow.exe	P1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1508	schtasks.exe
2112	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	P1.EXE
Token: SeDebugPrivilege	2912	Shadow.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2912	Shadow.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2984	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	28
PID 1720 wrote to memory of 2984	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	28
PID 1720 wrote to memory of 2984	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	28
PID 1720 wrote to memory of 2984	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	28
PID 1720 wrote to memory of 2660	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	29
PID 1720 wrote to memory of 2660	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	29
PID 1720 wrote to memory of 2660	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	29
PID 1720 wrote to memory of 2660	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	29
PID 2984 wrote to memory of 2624	2984	BUILT.EXE	31
PID 2984 wrote to memory of 2624	2984	BUILT.EXE	31
PID 2984 wrote to memory of 2624	2984	BUILT.EXE	31
PID 1720 wrote to memory of 2576	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	30
PID 1720 wrote to memory of 2576	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	30
PID 1720 wrote to memory of 2576	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	30
PID 1720 wrote to memory of 2576	1720	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	30
PID 2660 wrote to memory of 2648	2660	DIS.EXE	32
PID 2660 wrote to memory of 2648	2660	DIS.EXE	32
PID 2660 wrote to memory of 2648	2660	DIS.EXE	32
PID 2576 wrote to memory of 2112	2576	P1.EXE	33
PID 2576 wrote to memory of 2112	2576	P1.EXE	33
PID 2576 wrote to memory of 2112	2576	P1.EXE	33
PID 2576 wrote to memory of 2912	2576	P1.EXE	35
PID 2576 wrote to memory of 2912	2576	P1.EXE	35
PID 2576 wrote to memory of 2912	2576	P1.EXE	35
PID 2912 wrote to memory of 1508	2912	Shadow.exe	36
PID 2912 wrote to memory of 1508	2912	Shadow.exe	36
PID 2912 wrote to memory of 1508	2912	Shadow.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
"C:\Users\Admin\AppData\Local\Temp\268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
    "C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2624
- C:\Users\Admin\AppData\Local\Temp\DIS.EXE
  "C:\Users\Admin\AppData\Local\Temp\DIS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2660 -s 596
    3⤵
    - Loads dropped DLL
    PID:2648
- C:\Users\Admin\AppData\Local\Temp\P1.EXE
  "C:\Users\Admin\AppData\Local\Temp\P1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Shadow" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Shadow.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2112
- - C:\Windows\system32\SubDir\Shadow.exe
    "C:\Windows\system32\SubDir\Shadow.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Shadow" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Shadow.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
712KB

MD5
d7ea59194df531d374ca73a90e1c37c2

SHA1
6ca2975a13e83ac61d8ed4eb5070f1f55b40118e

SHA256
7547cd6f678056bfe95085beb3d3bec56937a3ebc3eb9ba0bd162562678477f0

SHA512
8bfe7a8c9a736e6e62adf3e285e8f61ee84094e6b35e1b540913f2cb2ebae663da340d38133f5ca8ea829333ece2f80f4f215f791509ad2c5fdc25acf68d1a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
384KB

MD5
31a1d211b699374929168363d1c43fb0

SHA1
b10d1c5d5c17310d0f1a04db099ae3e7de5e45bd

SHA256
e1d918f7c595c1fea4985d035c2b7ce7ea1f490fb920aa27d81d582b0bb5c129

SHA512
0b7877add25d0cfe51ceb63c6607a888b0b98aff426d462cb5d128392563b1190efcf6b8e386d042b6461c0405c4a8fd00584595f1e643ca790e467cbd153252

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
832KB

MD5
475c91aa10db3ab3f097fdf4d6a7ef8d

SHA1
5e1e51c8a4fb434f1e9e8b89d5a12efdfa8e2b2a

SHA256
09dd5bd4e566392c820f7becfead0adcb30796ed899668b51e01f2928a0288cc

SHA512
14479399511b5451a174b3c24ff922143005fe28d948c992ea84c0f0d41b2b4dba44cdbe51309c80266942e8e3aef551677bf98eeaf97f87c75a407e47383f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIS.EXE

Filesize
78KB

MD5
b6310ca2c49b28fbac28fef7a0877d18

SHA1
8451bac38ac99353f658e7b0042fe653d4292da0

SHA256
f895e12abca5b1c4bbd96166ff1900b55e6fb2537b664b39bb140628531e8f65

SHA512
ba01e5f1295552a78b0ce58f25f4019a1d374918ab6a187cd07c2715a965a1a0c6a71b22a39d52ad20efeda0fc5c790a5afd64ff648f77b0538219c6e0d42e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\P1.EXE

Filesize
2.3MB

MD5
51b4472ba26577420928288f5cb9ad3e

SHA1
279c31688a2beeb711abe1ca11c8ee68320ac605

SHA256
7a2b7e6ff5e219a8c2232c5597dcf7794ffd7a06f701d9b0b23daa93ef4a886f

SHA512
c7799c01732ab7ec6b119926ce299798fc8a28e05793ba9a8a0a5b64261911287087f554b326e97f211d6584ccba17ec18d0c7e19c402fc4ffe1ff7f50c116b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\P1.EXE

Filesize
1.7MB

MD5
e514b7f0b335ec59fb6d5b44e0cecc6f

SHA1
502a55c2c99b11e4bca3afeaf93774ba08330baa

SHA256
29b8be2ef299d4e778414243f779f420cc049410b6163549d975723897bee7cc

SHA512
eec06a342fbc92d54e59c05ea51a08e6b1211cb89ba47478f86a877d36d6902234cf2fd403c191c86e84eaedf0472fba17ef5c27b0c89b62fdb836255d66b41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\api-ms-win-core-file-l2-1-0.dll

Filesize
12KB

MD5
7f14fd0436c066a8b40e66386ceb55d0

SHA1
288c020fb12a4d8c65ed22a364b5eb8f4126a958

SHA256
c78eab8e057bddd55f998e72d8fdf5b53d9e9c8f67c8b404258e198eb2cdcf24

SHA512
d04adc52ee0ceed4131eb1d133bfe9a66cbc0f88900270b596116064480afe6ae6ca42feb0eaed54cb141987f2d7716bb2dae947a025014d05d7aa0b0821dc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\api-ms-win-core-localization-l1-2-0.dll

Filesize
15KB

MD5
71457fd15de9e0b3ad83b4656cad2870

SHA1
c9c2caf4f9e87d32a93a52508561b4595617f09f

SHA256
db970725b36cc78ef2e756ff4b42db7b5b771bfd9d106486322cf037115bd911

SHA512
a10fcf1d7637effff0ae3e3b4291d54cc7444d985491e82b3f4e559fbb0dbb3b6231a8c689ff240a5036a7acae47421cda58aaa6938374d4b84893cce0077bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
13KB

MD5
e93816c04327730d41224e7a1ba6dc51

SHA1
3f83b9fc6291146e58afce5b5447cd6d2f32f749

SHA256
ca06ccf12927ca52d8827b3a36b23b6389c4c6d4706345e2d70b895b79ff2ec8

SHA512
beaab5a12bfc4498cdf67d8b560ef0b0e2451c5f4634b6c5780a857666fd14f8a379f42e38be1beefa1c3578b2df913d901b271719ac6794bfaab0731bb77bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\python312.dll

Filesize
448KB

MD5
a163e653176fa595063bbb4281d0aa33

SHA1
2c328e6b79ef81aa1db7b6e7f2a4375068d37829

SHA256
6795cc919b89e88c6f4a1c8df245d66f37487bd41e710d4ddb4c8404bdea2431

SHA512
c8fa4aa5117bba41c24fb85eb58802ba456d21080659cb1db823d7357141a3a1230f56d3919e624c77cc60b2a123df433fc2d48f3d3b65b874daede0bb5cb5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\ucrtbase.dll

Filesize
704KB

MD5
a29f4b08c2147bf10acf6def64e0db51

SHA1
8eb06a8ecabcf9c848452030173d7e88c1dde3c1

SHA256
c7cc0994dd464748f2b57a12a1c394c08698fc1596ad7440e835efa9fa0d2553

SHA512
b0caa7446d6eedd44ea61bba891fb9befd913383b8ca9e026f94b9d961f822ce8a44334d8f1ab15f7e4a790d3d9312c04d4abbb44df8c0e69160adc8ac021bfd

Download Submit
C:\Windows\System32\SubDir\Shadow.exe

Filesize
3.1MB

MD5
30ff1a207b160f1f6605e91d4e12082f

SHA1
1e683010500f3cfc3acfdfe338193b79435a61c6

SHA256
e571f1a3c91573d5cee9ec3e01246659c69902e9e2e16b1c61384b417a09fb55

SHA512
55f3a2ec7542113464e0d14d66106fd6f2eed488aec2ba8eae845537b3ed573fd0bbabd2e34b86742bcaf12c88958de98805d5214366503a12d0458cd0004f77

Download Submit
C:\Windows\System32\SubDir\Shadow.exe

Filesize
2.8MB

MD5
a2bc1f37fcbcd39924a67cb01086b469

SHA1
9bfd26d5dd0a32e155d75b2af5bfa9b2245851fc

SHA256
b363b6ed275e831d82664d2f87d6d1069362c574a02c7c55199074465838d9c2

SHA512
9c56bd3f17dc595968b3f55d7391cacf2f46e4997b7769fd3d5480455f2acbcf419dac348559b881e6570571795529f41f9eec8b08528cd4eb25ba90b8c03153

Download Submit
C:\Windows\system32\SubDir\Shadow.exe

Filesize
3.0MB

MD5
eba1b4e26be55d38068887c3845bf560

SHA1
056d0741544070e5e437ea5a6358ba1fc38fc928

SHA256
954115410c8abea2a05718ee1c20d51ac7138d17dd260b885075a7e2551244cf

SHA512
efbd29b3eac68f35c0e3258f3b0b7257082d46f3ff7b2fedd75f03983ca7f2d6192253c1265f0462e5ebbcdeb759e1a0adbdfa2478fa277d8a57a4073adf0435

Download Submit
\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
4.8MB

MD5
60d08dd3108bc0091c8fe4be0cf3f29d

SHA1
db415c4925d5573913102ba98f267dfb61f03354

SHA256
50ee76e4c8674a0dde20a095201addad7e715c13778167855035c8b53c592f42

SHA512
295c14b2ed07644bbc5f9789557e59d58d010f1a5502508fa0fd61fb5dec2bf77d3822bb77a7d797c0e49409c2fb8959a320c4127ba6321c84c78090f6b16d63

Download Submit
\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
1.1MB

MD5
a5c95f844fd363ad737eea20bbf5da9f

SHA1
2da74ef83e859df337aa67b10987fcbf960b9ef1

SHA256
016abcf1c0068af29a7e3d71fd108272c55a3321a4accdc34c9b8798f25983fa

SHA512
9fb3c899d0f16945c5d1ad35dc05fac8f258a7493cae2637d9d053178f2f9338215e834210213db2ec17e6025b7b120970087d521cc24fe287b1cfc42f9d29ff

Download Submit
\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
960KB

MD5
94b27e5287f379b22fe2291f48399553

SHA1
54b8e6cc541ca477214d8416f1346717bfc18f2f

SHA256
f9f190ce67a53cbf285a1f7b1971673b94a07ae1a1036a0153b4be656f896f5a

SHA512
f18c595573c6ed57b243531f6aec897c2cb39926ba6142eb77d1266676b31648b76f75898800acca46614a5243467d343244d18fe3c25d68c163bd5052376c9d

Download Submit
\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
5.6MB

MD5
c5702f4158a278400cd16046f006a0fd

SHA1
6069a31f797d025d210e803da8bde540d9c881a0

SHA256
7fad56f59929ca1cc30429e27f5851313eaab1d6d09b9f3e73d2d01c9cc0431d

SHA512
2ccf2f7630d930139d962ea3e90db00d6e6118ce8bd7e64d6e40adec230c0b62579a96a5f40ba3170a9f1e5d127aa3c2b96d873e692006143877e1c3c69f0c4a

Download Submit
\Users\Admin\AppData\Local\Temp\P1.EXE

Filesize
1024KB

MD5
b47e4e4642a1f7276e35eb528066f6e9

SHA1
5e9de52475e6f4c9f572ec4fdb3843697cd9516c

SHA256
42733414d272385c34c305877abe5c117fe2a65dff9cdd94faad930fbaa8ea3a

SHA512
f215ba001a3271181d58278acb3be0ff248968ee28e0f89e7a5fc5915da53612d71e55fc994a763f65a13f7a4438f82238c9525466d67ddd328b4afd29b63717

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29842\api-ms-win-core-file-l1-2-0.dll

Filesize
12KB

MD5
49e3260ae3f973608f4d4701eb97eb95

SHA1
097e7d56c3514a3c7dc17a9c54a8782c6d6c0a27

SHA256
476fbad616e20312efc943927ade1a830438a6bebb1dd1f83d2370e5343ea7af

SHA512
df22cf16490faa0dc809129ca32eaf1a16ec665f9c5411503ce0153270de038e5d3be1e0e49879a67043a688f6c42bdb5a9a6b3cea43bf533eba087e999be653

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
13KB

MD5
acf40d5e6799231cf7e4026bad0c50a0

SHA1
8f0395b7e7d2aac02130f47b23b50d1eab87466b

SHA256
64b5b95fe56b6df4c2d47d771bec32bd89267605df736e08c1249b802d6d48d1

SHA512
f66a61e89231b6dc95b26d97f5647da42400bc809f70789b9afc00a42b94ea3487913860b69a1b0ee59ed5eb62c3a0cade9e21f95da35fdd42d8ce51c5507632

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29842\python312.dll

Filesize
192KB

MD5
431c6d92f6293d05850d2c31467cd08a

SHA1
24d325bd1d4f7af299f5f96e3d5c7e59226584f6

SHA256
017e1eb6a8f8ad6a0fa701ca1958d64202a1a520822456ee9945deb27e83fc07

SHA512
da759d034fd8730bb5af7dc68a9548d41db0648b8b61af2c57ab0fbe5f47685343029afb0ff8dc2302237e4bcb1285ac7e6e40302d69641c42e8b279296161d4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29842\ucrtbase.dll

Filesize
640KB

MD5
f3af7cae640f3cd81fe27e283ad37118

SHA1
ea2bcdf6655bbe8e3c4f5a84c1a8430a7f15766c

SHA256
8939bffae380a8a742db14679323c08f1967085e471e688be01bde3ae0a058c5

SHA512
ad09f8646c4ae6094dcb266299714b2f3b16acbc0e407d639df9875b21e8ef5e5324d150020b186cd2f52bcdfa8bbcf1dfbe5ba7cad7d3adc945e7cb3f8046f6

Download Submit
memory/2576-97-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-114-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-95-0x00000000013D0000-0x00000000016F4000-memory.dmp

Filesize
3.1MB

Download
memory/2576-101-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/2624-98-0x000007FEF5340000-0x000007FEF5A18000-memory.dmp

Filesize
6.8MB

Download
memory/2660-91-0x000000013FEE0000-0x000000013FEF8000-memory.dmp

Filesize
96KB

Download
memory/2660-102-0x000000001B980000-0x000000001BA00000-memory.dmp

Filesize
512KB

Download
memory/2660-96-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-169-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-170-0x000000001B980000-0x000000001BA00000-memory.dmp

Filesize
512KB

Download
memory/2912-112-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-113-0x0000000000100000-0x0000000000424000-memory.dmp

Filesize
3.1MB

Download
memory/2912-115-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2912-171-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-172-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads