quasar | 5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48

Analysis

max time kernel
297s
max time network
299s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11/06/2024, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$sxr-Uni.exe
Size

349KB
MD5

1ec86aa544089409730a3777da35c70a
SHA1

b592008ecc06d47bd7170f0ad3799e114139df0f
SHA256

5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48
SHA512

fbd7a000b74f0488039aa9213d56cf464b55629c9c649bde2835216f699f51f921d417d090e7e2e0d6e7c10a07c4b767ada82a8ac45fcfc10c950163f2df9715
SSDEEP

6144:ErL3HRsM+OFZHBcFU4EljaWbrqXMxxz5A8XklSoj:6VP+MXuCJayqXMr5mlSoj

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.0.0

Botnet

Slave

runderscore00-63294.portmap.host:63294

Mutex

QSR_MUTEX_zImH6b2ccpa3QdeboZ

Attributes

encryption_key
Ep14qTjvhc0fuqxF9hv4
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral3/memory/4404-1-0x0000000000500000-0x000000000055E000-memory.dmp	family_quasar
behavioral3/files/0x000300000002a9ac-12.dat	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2416	$sxr-powershell.exe
748	$sxr-powershell.exe
4704	$sxr-powershell.exe
4460	$sxr-powershell.exe
788	$sxr-powershell.exe
3536	$sxr-powershell.exe
2688	$sxr-powershell.exe
3308	$sxr-powershell.exe
4152	$sxr-powershell.exe
2388	$sxr-powershell.exe
4384	$sxr-powershell.exe
972	$sxr-powershell.exe
1228	$sxr-powershell.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
27	ip-api.com
30	ip-api.com
13	ip-api.com
17	ip-api.com
19	ip-api.com
32	ip-api.com
35	ip-api.com
1	ip-api.com
22	ip-api.com
24	ip-api.com
7	api.ipify.org
10	ip-api.com
37	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1572	2416	WerFault.exe	80
884	748	WerFault.exe	90
1752	4704	WerFault.exe	99
1052	4460	WerFault.exe	108
400	788	WerFault.exe	117
2708	3536	WerFault.exe	126
3272	2688	WerFault.exe	135
4920	3308	WerFault.exe	144
1172	4152	WerFault.exe	153
1176	2388	WerFault.exe	162
4156	4384	WerFault.exe	171
964	972	WerFault.exe	180
4184	1228	WerFault.exe	189

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4948	schtasks.exe
1544	schtasks.exe
3160	schtasks.exe
2608	schtasks.exe
3364	schtasks.exe
1780	schtasks.exe
2944	schtasks.exe
4688	schtasks.exe
3952	schtasks.exe
4960	schtasks.exe
4812	schtasks.exe
1368	schtasks.exe
1876	schtasks.exe
524	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
4980	PING.EXE
4236	PING.EXE
2184	PING.EXE
4028	PING.EXE
1216	PING.EXE
3264	PING.EXE
3004	PING.EXE
2840	PING.EXE
2592	PING.EXE
3828	PING.EXE
5000	PING.EXE
4668	PING.EXE
1308	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4404	$sxr-Uni.exe
Token: SeDebugPrivilege	2416	$sxr-powershell.exe
Token: SeDebugPrivilege	748	$sxr-powershell.exe
Token: SeDebugPrivilege	4704	$sxr-powershell.exe
Token: SeDebugPrivilege	4460	$sxr-powershell.exe
Token: SeDebugPrivilege	788	$sxr-powershell.exe
Token: SeDebugPrivilege	3536	$sxr-powershell.exe
Token: SeDebugPrivilege	2688	$sxr-powershell.exe
Token: SeDebugPrivilege	3308	$sxr-powershell.exe
Token: SeDebugPrivilege	4152	$sxr-powershell.exe
Token: SeDebugPrivilege	2388	$sxr-powershell.exe
Token: SeDebugPrivilege	4384	$sxr-powershell.exe
Token: SeDebugPrivilege	972	$sxr-powershell.exe
Token: SeDebugPrivilege	1228	$sxr-powershell.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2416	$sxr-powershell.exe
748	$sxr-powershell.exe
4704	$sxr-powershell.exe
4460	$sxr-powershell.exe
788	$sxr-powershell.exe
3536	$sxr-powershell.exe
2688	$sxr-powershell.exe
3308	$sxr-powershell.exe
4152	$sxr-powershell.exe
2388	$sxr-powershell.exe
4384	$sxr-powershell.exe
972	$sxr-powershell.exe
1228	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 1780	4404	$sxr-Uni.exe	78
PID 4404 wrote to memory of 1780	4404	$sxr-Uni.exe	78
PID 4404 wrote to memory of 1780	4404	$sxr-Uni.exe	78
PID 4404 wrote to memory of 2416	4404	$sxr-Uni.exe	80
PID 4404 wrote to memory of 2416	4404	$sxr-Uni.exe	80
PID 4404 wrote to memory of 2416	4404	$sxr-Uni.exe	80
PID 2416 wrote to memory of 4688	2416	$sxr-powershell.exe	81
PID 2416 wrote to memory of 4688	2416	$sxr-powershell.exe	81
PID 2416 wrote to memory of 4688	2416	$sxr-powershell.exe	81
PID 2416 wrote to memory of 416	2416	$sxr-powershell.exe	83
PID 2416 wrote to memory of 416	2416	$sxr-powershell.exe	83
PID 2416 wrote to memory of 416	2416	$sxr-powershell.exe	83
PID 416 wrote to memory of 4892	416	cmd.exe	86
PID 416 wrote to memory of 4892	416	cmd.exe	86
PID 416 wrote to memory of 4892	416	cmd.exe	86
PID 416 wrote to memory of 1216	416	cmd.exe	88
PID 416 wrote to memory of 1216	416	cmd.exe	88
PID 416 wrote to memory of 1216	416	cmd.exe	88
PID 416 wrote to memory of 748	416	cmd.exe	90
PID 416 wrote to memory of 748	416	cmd.exe	90
PID 416 wrote to memory of 748	416	cmd.exe	90
PID 748 wrote to memory of 1544	748	$sxr-powershell.exe	91
PID 748 wrote to memory of 1544	748	$sxr-powershell.exe	91
PID 748 wrote to memory of 1544	748	$sxr-powershell.exe	91
PID 748 wrote to memory of 1364	748	$sxr-powershell.exe	93
PID 748 wrote to memory of 1364	748	$sxr-powershell.exe	93
PID 748 wrote to memory of 1364	748	$sxr-powershell.exe	93
PID 1364 wrote to memory of 4324	1364	cmd.exe	97
PID 1364 wrote to memory of 4324	1364	cmd.exe	97
PID 1364 wrote to memory of 4324	1364	cmd.exe	97
PID 1364 wrote to memory of 4980	1364	cmd.exe	98
PID 1364 wrote to memory of 4980	1364	cmd.exe	98
PID 1364 wrote to memory of 4980	1364	cmd.exe	98
PID 1364 wrote to memory of 4704	1364	cmd.exe	99
PID 1364 wrote to memory of 4704	1364	cmd.exe	99
PID 1364 wrote to memory of 4704	1364	cmd.exe	99
PID 4704 wrote to memory of 3160	4704	$sxr-powershell.exe	100
PID 4704 wrote to memory of 3160	4704	$sxr-powershell.exe	100
PID 4704 wrote to memory of 3160	4704	$sxr-powershell.exe	100
PID 4704 wrote to memory of 3144	4704	$sxr-powershell.exe	102
PID 4704 wrote to memory of 3144	4704	$sxr-powershell.exe	102
PID 4704 wrote to memory of 3144	4704	$sxr-powershell.exe	102
PID 3144 wrote to memory of 3344	3144	cmd.exe	105
PID 3144 wrote to memory of 3344	3144	cmd.exe	105
PID 3144 wrote to memory of 3344	3144	cmd.exe	105
PID 3144 wrote to memory of 4236	3144	cmd.exe	106
PID 3144 wrote to memory of 4236	3144	cmd.exe	106
PID 3144 wrote to memory of 4236	3144	cmd.exe	106
PID 3144 wrote to memory of 4460	3144	cmd.exe	108
PID 3144 wrote to memory of 4460	3144	cmd.exe	108
PID 3144 wrote to memory of 4460	3144	cmd.exe	108
PID 4460 wrote to memory of 4812	4460	$sxr-powershell.exe	109
PID 4460 wrote to memory of 4812	4460	$sxr-powershell.exe	109
PID 4460 wrote to memory of 4812	4460	$sxr-powershell.exe	109
PID 4460 wrote to memory of 2604	4460	$sxr-powershell.exe	111
PID 4460 wrote to memory of 2604	4460	$sxr-powershell.exe	111
PID 4460 wrote to memory of 2604	4460	$sxr-powershell.exe	111
PID 2604 wrote to memory of 1060	2604	cmd.exe	114
PID 2604 wrote to memory of 1060	2604	cmd.exe	114
PID 2604 wrote to memory of 1060	2604	cmd.exe	114
PID 2604 wrote to memory of 3828	2604	cmd.exe	116
PID 2604 wrote to memory of 3828	2604	cmd.exe	116
PID 2604 wrote to memory of 3828	2604	cmd.exe	116
PID 2604 wrote to memory of 788	2604	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe
"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1780
- C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
  "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T8NFiZavkYQP.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:416
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1216
  - - C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
      "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nw8NMRox1DKN.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4324
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:4980
      - C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ABQZ9vpfDyy.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:4236
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        9⤵
        Creates scheduled task(s)
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgvgEkTCRaMK.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:3828
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEa3zEZMcUvK.bat" "
        11⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:3264
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        13⤵
        Creates scheduled task(s)
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\139uQqxiPxWC.bat" "
        13⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        15⤵
        Creates scheduled task(s)
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vbpHCK3sar4C.bat" "
        15⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        17⤵
        Creates scheduled task(s)
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyHSHKO3VBEY.bat" "
        17⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        19⤵
        Creates scheduled task(s)
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pJorHtYnUQPE.bat" "
        19⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:4028
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        21⤵
        Creates scheduled task(s)
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3bbPMo0RZJjO.bat" "
        21⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        Runs ping.exe
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4384
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        23⤵
        Creates scheduled task(s)
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NPLX0fETqydM.bat" "
        23⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        Runs ping.exe
        
        PID:5000
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        25⤵
        Creates scheduled task(s)
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3uH3sWcW6XKp.bat" "
        25⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        Runs ping.exe
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        27⤵
        Creates scheduled task(s)
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C7WNIUZ5EjHV.bat" "
        27⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:4668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 952
        27⤵
        Program crash
        
        PID:4184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1108
        25⤵
        Program crash
        
        PID:964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1744
        23⤵
        Program crash
        
        PID:4156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2284
        21⤵
        Program crash
        
        PID:1176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1744
        19⤵
        Program crash
        
        PID:1172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1736
        17⤵
        Program crash
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1108
        15⤵
        Program crash
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 2256
        13⤵
        Program crash
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 1108
        11⤵
        Program crash
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 2292
        9⤵
        Program crash
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1108
        7⤵
        Program crash
        
        PID:1752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1104
        5⤵
        Program crash
        
        PID:884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 2180
    3⤵
    - Program crash
    PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 748 -ip 748
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4704 -ip 4704
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4460 -ip 4460
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 788 -ip 788
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3536 -ip 3536
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2688 -ip 2688
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3308 -ip 3308
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4152 -ip 4152
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2388 -ip 2388
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4384 -ip 4384
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 972 -ip 972
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1228 -ip 1228
1⤵
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ABQZ9vpfDyy.bat

Filesize
223B

MD5
d1df08dc98263e5dfbd946ecf493eaf6

SHA1
605a71bfd3c65e5bf1168032bbf87e348c1d3fc7

SHA256
9547e54aac0360f8bab18193b0e32ea809dfd7ddc294019f6d460c603c37d1de

SHA512
7e729600d0d777b1362800f8796f808cd941dfb6d0917aad639cece051a8ab753133d924c8ad4d16def735372f9474a18d8568dbbde97efd670f26ec11f71cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\139uQqxiPxWC.bat

Filesize
223B

MD5
4d38e3231002a7f07cba82bc6c7fde9b

SHA1
ad8f97fb954ad6289b31f994caf5a013d27b6d36

SHA256
cf3899801cb5650ece892d444d95a5f31a6223eec4d0e895a786e21444eecf48

SHA512
f0f0c9a0d6c004d2a7658b92db31903381bff2576f03299b6b5196d670581ea269224c90b02c8ee1d558b6e82817fef5f07646453f53b1d2ab7750623defd003

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bbPMo0RZJjO.bat

Filesize
223B

MD5
3a3f0762bb95e24151f1e3669ebd8d8c

SHA1
3842955eec6f5f77714bd86cf66dbf2b2f6f3a38

SHA256
20c6e65f65cd21d4a0e0efc2faa8dbb78e21c9b76cf54e32d8dc55180686e793

SHA512
5095b01676ded70e051b8bfc53ca6613cefca6015f1fdb88b8b5231463b39504e0306921422b22b4f40912b29b84b1b08fa37a96dfdad970500a25622db4c48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3uH3sWcW6XKp.bat

Filesize
223B

MD5
dc23e15f731d8a1ad844c1dfdea97f34

SHA1
fa2b783eb34adf83642a987377035804b819cecb

SHA256
49915839577a49cf117c1c34ea2c0b53ef5f8ae311e40ae591f2f842057728d3

SHA512
0d7412db1dd42f9bc56309d3975262eb8e86c049082b08f30bc7974f60bc34c56660f87dc04937b430b5a5604732edbc4522a938a7c7750644c7999af17983c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7WNIUZ5EjHV.bat

Filesize
223B

MD5
4cdee142ca975454036507258b047d90

SHA1
39f84d3112e4a8b9bb9e0a7558e7e1cc5f196108

SHA256
1b8a8eba89e373f827b40d1acbdbe04b7ec9cbded422da7d58e7fb8739b3137d

SHA512
a63ba5a001f23b545c1d541617def1a594522ab90952b71a9bb74f17babc304e4e50ad7eb5c47b6b2e800057bc8c160e7a7e3d6cebb650968676489da79efd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyHSHKO3VBEY.bat

Filesize
223B

MD5
16c562c7d0f72a9bdfaea420f5864b17

SHA1
3c3af4c689f306644fe6692b015db7713ce6dfd6

SHA256
be5cd69142c983f9d287f72fbac6e0ac68c4f04ed756a30d2e8f313bc6ffa78a

SHA512
3b4d76b72d3a173919aeb079f510565cdecd29d18b12f021ae3a36fa58d5170363a71babe7f0ca31b5e90855fd7fa8080c3715a09aed79d9a77d5445bcd469d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NPLX0fETqydM.bat

Filesize
223B

MD5
395615d322f996dd916ad25a077598bb

SHA1
c4c1dfea587e389e4ea56605c5ecc60f1a8d5cda

SHA256
2ee5172653d3257d9f6cdc90dc32b2f7b3a584eecd0e24f5f294494eda4a4a1a

SHA512
749e66cb2eedc3dc7c9512e27a8e884c3c2047fe41a3dba790ef92016d072c5baed4d88b0eb07555f7eaeae453daa9e8963fb65e082d0805bffb0a851a221ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\T8NFiZavkYQP.bat

Filesize
223B

MD5
b5cbeb6b1cbfc8dd8e0c9dde19cb0e72

SHA1
efeb4d4589bd9b37ff68bcbc2c86ae54af6b94ec

SHA256
ef1e4e30cdaf5dd7b439d2a16444b633985a606b9e41897983ea5b17250d9090

SHA512
2993a2051916af9c671476970234cab3841dc0d04196800baec264ce7e0e211f8723f1699b55e97db1871422f11a78fe18fc438d4fe44ab03772502e5f45a703

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEa3zEZMcUvK.bat

Filesize
223B

MD5
2be6846ccdc090a6680df050b9818bad

SHA1
2e611c1165ba9d99d794529a1b1e3dffa16472d8

SHA256
8ffd3f383e2a96e398445825d41c38b72afa77de808607519d0963abe765d2a4

SHA512
70a8f2f06cad13164aa997f137f005df0eba0c777730c5f310441fb701a4a44c5620dc5b62bbc76ecb81bedde2e8cf738080722b8cb235d361ad82ca42ce2d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgvgEkTCRaMK.bat

Filesize
223B

MD5
e62f463270a4405de5c421aa2417b6d8

SHA1
65dd6d5cc22a595f9863ca1e9e943b7451bc7c74

SHA256
b68c4a1cade9a142460b400b8db9bdb912d0afa1fec35a7da09c6ef8eb504d4b

SHA512
8763be494f0f6ec1443f0ffd01cee9dc6ca4fdbdbd4291fde2b8fc70895a445ae3248ffc2083496deb518f7dc23762859ae3a6ffa486b87a40365bebb70c98a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nw8NMRox1DKN.bat

Filesize
223B

MD5
fd5e613603d0f2059ba809fd9922a45a

SHA1
ba6af74772793d691a0b7a082a0986a8b5ae509e

SHA256
b489b5970563685daef9628bbcfe2d617de6e626467c4979f8a51d4a1e9f1a63

SHA512
6f89a353d641a9c52bad657cb670175427bafa4dcbed6c43f3049dba58e4533ec824bdc1389a8c11af91f7022f5890780e8a38eb3a8bf1bec002ec80e74da027

Download Submit
C:\Users\Admin\AppData\Local\Temp\pJorHtYnUQPE.bat

Filesize
223B

MD5
09a2e6ec65de3e4bc75e9176428791d6

SHA1
a8256212b3ce9730cb9362f34eeb727cb4cd9467

SHA256
a51b1e99491d5e9111f2142b57b22983d126481ab8408dc590349e359a96e8b2

SHA512
4adfc996fe16f6d3df4bb717bc30203cb5b50e39d9002e8fcebca95d8d9e09183d6c2b47ccc84d2507aaba1263856c4ad607d579eb187e1c03ea3685b0503a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbpHCK3sar4C.bat

Filesize
223B

MD5
a669f4af4b467c65cb9055e8b1480d42

SHA1
6ff1a8297b35aa22c3bc61484eae9084992b7966

SHA256
23699dfe6ffecdbfd1848c1c981b9638c4c4cada7cbd3a143111e6b0b46c1254

SHA512
c32f7f54facd560812fea0496c72deafee3bf14b9a5509b9d25945c8e640b2eec9cd2be015645595fa94a4ccb67769545e94114c0d1a13abf075d5ff14f79623

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
39832b01ab6f1dfbb6fc85b11ece631e

SHA1
513ce760dc4d52ff0e95303871d06900d8f8f3a1

SHA256
0b3694543a2110511c29adccd04ca9f5c9453c9904dbb69038c16d4ee9215e52

SHA512
40b7f485d2489b6fd7559429460c312ef6bf83141571e947ccbfe84424e24a3251f1ef1f57bde9413434a61702d2154993d9602527f8e6563e7582560955a0ba

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
4f2e1b66a0a7c8159f60e1e31abcee7e

SHA1
571e5b15f8a2f0dcb2fb0102156a341264dbd2c5

SHA256
76dd18852ed2077771a76fdf569d729994dbc655dfa86c89b81aae73dfe53a25

SHA512
dc11c41a7c8228ac570fb44906c65b91147922823a63b17a8502044b21df3da4571761b5f1d04dcf8349c04be752ac6649080c4db2a0a7028d6f8084920d712c

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
1ba08fb7c4dcf1b1941640512a907420

SHA1
139269253144ab57bebff2b57e654289dcc0e986

SHA256
52ccde86d5b6158a625411d026bfa605214e524b6be4160c207f5f8f5f1097cc

SHA512
8064f303d89689369eeb12e03a5d350d6fdf693afba956c19b892d15d213305810dbcd9dddc3f6d08f2b7e4c17222421ea70772a99c8eda5e5c9f9460728601a

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
ddb8bca5b1d5261cea3f11db84c33b31

SHA1
a5dead7831446eb21e5720e8e99650019a874f0a

SHA256
5cd9784239d19d75bf63325b2398445a0f3d861eda39827c823d55e5e8c2dac0

SHA512
034ba50f957b7f60223a092115fdf94af6f5178e205be10c1a7a179393560207533918bba24cdcef4c707191536cbb6b56293171da3d63168c3b81f7295edc43

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
607ff384f08a1297cc0cd50753b35c6b

SHA1
6a76629a291246c17d2bc61dc2eb4c5241bc6e61

SHA256
910372a2030eb95866c42b07ff5965505b64797eff992198457be4dad2f3d188

SHA512
62d9ba3aba9ae876ade39cb25878e082d095d26c92490f60f064a9313720e9ad3715ddfd2b48c27c7754edd3eadbbb49a8cf5491977e084b24aa3054085d0a54

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
df62268d02940d65753c341d4981226c

SHA1
c907a4910857737d104a10ffa592f2ff33b9ece3

SHA256
e7bd0c4df2bb703f5be8516c5fba58827a0d1cfb34c233c21d36dc3607c3ff45

SHA512
afbb01ed8245f3f05b300d4da9532732c7997f86ad4f3dbe3417bbcf5c6721677b49759623a15f59cc61ad1d2c6c4c30a68056d38c586af8ffdbb87bfde5c6b1

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
05a97319d1c8f9970295705578155de2

SHA1
9b466c42cec5787929f69d87d79678b239fab9ce

SHA256
a6ba67c11e4ede634fe4867563db83f502a14b21e890e6c435fd5257c65fa2a3

SHA512
4fdfb38b764d11e50e6209c6b32b066b32a47ec7987ebeee0ad85a0a04c935d5a5072b25a36c4f3046b5adf713cfbcedd3becec796816ab26981148bd8cc53b2

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
825f23bef1e106e658774d277e0b27a2

SHA1
ccf10e1941762a2e826885acdea890702995be6c

SHA256
109aa93fcbccd5dd4e59e6043772e0c678e7669ccb245c90da7ec29dcd79d963

SHA512
4586aca926ef514ac199d8b4490c8c34cbe45f9371a2d94240dff4d5be52f51ccb5ae82bbea6bc7d2fc8bcf1eddc09a40b1bc89c533270201f73a6f92b1138f5

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
83cc03c553224bce1b8c9c37de60d565

SHA1
59bbbe027452c870fc212faa42d1d6988789435a

SHA256
005e9d32e6a8e4d261b1e77a8b7448071e443fccbde573ea9d919b62158ec85b

SHA512
1256cdb71d9fdf1835adc1b923788ea3e7c455261167be7ac64f956a15946668ddeb87606f6212473e75849bd332de9e406728b3805128f5807c5ba1d44ee551

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
8d99c7fb43366b608a612c0d1d0b9250

SHA1
654c851657ef1d0e64c31b8cb5be9bf496e45a46

SHA256
a89e82de2fdfd97d4119c69c17f4405c4979b90cdffd96c2b54ffe14ace623a8

SHA512
0240b4114867863103f1a3353f0cb703c420af744d0a28571bf9d372254e0ce37c569c761556d203e3ac32afb2fbb7a5c671a5bc46a55fbe7c474ba9c6e560a8

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
3e00d66bf753986ba4e089a7277e9937

SHA1
465b101783836c6f52faeac625ab42be7dc7d0a4

SHA256
47e08043f18c8e5a51b20080827693677c87f55cbed3a8a936335a47a62d1aac

SHA512
c6d2ad01ccb5702b8618e1459b0d03a156c15e93a5b5f6540f020538c10779ae57f2f7161b559f244829c323687127f5ab640685197105f27296c1aee6832a78

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
f64073b808bd356a3f3aebab2034ca1e

SHA1
df86632af2ddc210e56ce950c260b3670f9f8721

SHA256
9a302ba8eb9e50ffa4afecd412070089ab8a5cc7622e60aa13db3c2f8a240791

SHA512
734590aa5469da1b87bf82abd42556f0d6ea2d3a83c68517b4bc6669a382fef0c4925ae50b86e4fe1494cecd12dfc03b2ec997889c7cf9d203b70d169776e9c5

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

Filesize
349KB

MD5
1ec86aa544089409730a3777da35c70a

SHA1
b592008ecc06d47bd7170f0ad3799e114139df0f

SHA256
5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48

SHA512
fbd7a000b74f0488039aa9213d56cf464b55629c9c649bde2835216f699f51f921d417d090e7e2e0d6e7c10a07c4b767ada82a8ac45fcfc10c950163f2df9715

Download Submit
memory/2416-19-0x0000000006790000-0x000000000679A000-memory.dmp

Filesize
40KB

Download
memory/2416-17-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/2416-16-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/2416-24-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4404-15-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4404-6-0x0000000005D40000-0x0000000005D52000-memory.dmp

Filesize
72KB

Download
memory/4404-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/4404-5-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/4404-7-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/4404-4-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4404-8-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4404-3-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/4404-2-0x0000000005690000-0x0000000005C36000-memory.dmp

Filesize
5.6MB

Download
memory/4404-1-0x0000000000500000-0x000000000055E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads