quasar | 0e0a586e4c7a3d6508de4cffe0c78050c01dda128441853127ef10e1e3c7e25c

Reason

Machine shutdown

General

Target

f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
Size

602KB
MD5

f78e8fdb5c76c784818c1ea7ba8217cd
SHA1

9a3ca4ab923d8b93b49f5d46c6b449845ca94c6d
SHA256

0e0a586e4c7a3d6508de4cffe0c78050c01dda128441853127ef10e1e3c7e25c
SHA512

9fc70809bac9189e693af1ccd10f35af84fe295b048ed609262a90bf071157b0a23ff2672c57f424fbcd56fc816c1400b6a9a09cd30e12619d785518151d62b3
SSDEEP

12288:hmBU27je2sGbV7LsAlhgLTj9BBnWobokcoyhUvqA2i:kBUYje21R0b9BBnWooXhQqAt

Score

10^/10

quasar venomrat windows security discovery evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XaCO2YtLAsadylDHBP

Attributes

encryption_key
eKgGUbCubcSIafuOAN5V
install_name
windows security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
windows security
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4616-8-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4616-8-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 2 IoCs

Processes:

windows security.exewindows security.exe

pid process

4892 windows security.exe
116 windows security.exe

pid	process
4892	windows security.exe
116	windows security.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com

flow	ioc
11	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exewindows security.exe

description	pid	process	target process
PID 4288 set thread context of 4616	4288	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
PID 4892 set thread context of 116	4892	windows security.exe	windows security.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4792 116 WerFault.exe windows security.exe

pid	pid_target	process	target process
4792	116	WerFault.exe	windows security.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exewindows security.exeschtasks.exef78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exef78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exeschtasks.exewindows security.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows security.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

4876 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4876 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2856 schtasks.exe
656 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4728 powershell.exe
4728 powershell.exe

pid	process
4876	PING.EXE

pid	process
4876	PING.EXE

pid	process
2856	schtasks.exe
656	schtasks.exe

pid	process
4728	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exepowershell.exewindows security.exe

description	pid	process
Token: SeDebugPrivilege	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	116	windows security.exe
Token: SeDebugPrivilege	116	windows security.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windows security.exe

pid process

116 windows security.exe

pid	process
116	windows security.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exef78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exewindows security.exewindows security.exe

description	pid	process	target process
PID 4288 wrote to memory of 4616	4288	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
PID 4288 wrote to memory of 4616	4288	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
PID 4288 wrote to memory of 4616	4288	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
PID 4288 wrote to memory of 4616	4288	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
PID 4288 wrote to memory of 4616	4288	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
PID 4288 wrote to memory of 4616	4288	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
PID 4288 wrote to memory of 4616	4288	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
PID 4288 wrote to memory of 4616	4288	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
PID 4616 wrote to memory of 2856	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	schtasks.exe
PID 4616 wrote to memory of 2856	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	schtasks.exe
PID 4616 wrote to memory of 2856	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	schtasks.exe
PID 4616 wrote to memory of 4892	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	windows security.exe
PID 4616 wrote to memory of 4892	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	windows security.exe
PID 4616 wrote to memory of 4892	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	windows security.exe
PID 4616 wrote to memory of 4728	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	powershell.exe
PID 4616 wrote to memory of 4728	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	powershell.exe
PID 4616 wrote to memory of 4728	4616	f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe	powershell.exe
PID 4892 wrote to memory of 116	4892	windows security.exe	windows security.exe
PID 4892 wrote to memory of 116	4892	windows security.exe	windows security.exe
PID 4892 wrote to memory of 116	4892	windows security.exe	windows security.exe
PID 4892 wrote to memory of 116	4892	windows security.exe	windows security.exe
PID 4892 wrote to memory of 116	4892	windows security.exe	windows security.exe
PID 4892 wrote to memory of 116	4892	windows security.exe	windows security.exe
PID 4892 wrote to memory of 116	4892	windows security.exe	windows security.exe
PID 4892 wrote to memory of 116	4892	windows security.exe	windows security.exe
PID 116 wrote to memory of 656	116	windows security.exe	schtasks.exe
PID 116 wrote to memory of 656	116	windows security.exe	schtasks.exe
PID 116 wrote to memory of 656	116	windows security.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2856
- - C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:116
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiattwPaksYl.bat" "
        5⤵
        
        PID:4620
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:984
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1980
        5⤵
        Program crash
        
        PID:4792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 116 -ip 116
1⤵
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe.log

Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\Temp\OiattwPaksYl.bat

Filesize
217B

MD5
7f238398d1bd56282df55cc7350e8a4b

SHA1
67c7b6772642179b442b003edf017190f9ecf107

SHA256
26a8e7a03ca3283428084d2f8cd6ad6c0c65f5e51df1480ac525b3cab6268309

SHA512
9ce42924ada61cf7c84209c73d3360a72b8ff2219672beeab57eb40de1327eab87ad33d002c0f5d7c73b0afb29891104de09dd1c3ccb0d62051d10adcd079e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqn5sho2.rlz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe

Filesize
602KB

MD5
f78e8fdb5c76c784818c1ea7ba8217cd

SHA1
9a3ca4ab923d8b93b49f5d46c6b449845ca94c6d

SHA256
0e0a586e4c7a3d6508de4cffe0c78050c01dda128441853127ef10e1e3c7e25c

SHA512
9fc70809bac9189e693af1ccd10f35af84fe295b048ed609262a90bf071157b0a23ff2672c57f424fbcd56fc816c1400b6a9a09cd30e12619d785518151d62b3

Download Submit
memory/116-44-0x0000000006960000-0x000000000696A000-memory.dmp

Filesize
40KB

Download
memory/4288-4-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/4288-0-0x000000007528E000-0x000000007528F000-memory.dmp

Filesize
4KB

Download
memory/4288-1-0x0000000000B40000-0x0000000000BDC000-memory.dmp

Filesize
624KB

Download
memory/4288-5-0x00000000056A0000-0x000000000573C000-memory.dmp

Filesize
624KB

Download
memory/4288-12-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4288-2-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4288-3-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/4288-7-0x0000000005540000-0x000000000554A000-memory.dmp

Filesize
40KB

Download
memory/4616-15-0x0000000005CA0000-0x0000000005CB2000-memory.dmp

Filesize
72KB

Download
memory/4616-16-0x0000000006320000-0x000000000635C000-memory.dmp

Filesize
240KB

Download
memory/4616-14-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/4616-13-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4616-11-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4616-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4728-29-0x0000000005E30000-0x0000000005E52000-memory.dmp

Filesize
136KB

Download
memory/4728-59-0x0000000007930000-0x00000000079D3000-memory.dmp

Filesize
652KB

Download
memory/4728-30-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/4728-26-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/4728-40-0x00000000060E0000-0x0000000006434000-memory.dmp

Filesize
3.3MB

Download
memory/4728-42-0x00000000069A0000-0x00000000069EC000-memory.dmp

Filesize
304KB

Download
memory/4728-41-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/4728-23-0x0000000005150000-0x0000000005186000-memory.dmp

Filesize
216KB

Download
memory/4728-48-0x0000000070720000-0x000000007076C000-memory.dmp

Filesize
304KB

Download
memory/4728-47-0x0000000006D00000-0x0000000006D32000-memory.dmp

Filesize
200KB

Download
memory/4728-58-0x0000000006D40000-0x0000000006D5E000-memory.dmp

Filesize
120KB

Download
memory/4728-70-0x0000000007D80000-0x0000000007D88000-memory.dmp

Filesize
32KB

Download
memory/4728-61-0x00000000080A0000-0x000000000871A000-memory.dmp

Filesize
6.5MB

Download
memory/4728-62-0x0000000007A60000-0x0000000007A7A000-memory.dmp

Filesize
104KB

Download
memory/4728-69-0x0000000007DA0000-0x0000000007DBA000-memory.dmp

Filesize
104KB

Download
memory/4728-64-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

Filesize
40KB

Download
memory/4728-65-0x0000000007CE0000-0x0000000007D76000-memory.dmp

Filesize
600KB

Download
memory/4728-66-0x0000000007C60000-0x0000000007C71000-memory.dmp

Filesize
68KB

Download
memory/4728-67-0x0000000007C90000-0x0000000007C9E000-memory.dmp

Filesize
56KB

Download
memory/4728-68-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

Filesize
80KB

Download
memory/4892-22-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4892-28-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads