quasar | 282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

Analysis

max time kernel
132s
max time network
133s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-11-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.7z
Size

922KB
MD5

ec516db688f94e98d5141f4bade557e9
SHA1

198ffbae5eed415ac673f5e371774759f1a53de1
SHA256

282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
SHA512

ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
SSDEEP

24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045062-2.dat	family_quasar
behavioral1/memory/1200-5-0x0000000000F80000-0x00000000012A4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 2 IoCs

pid	Process
1200	kreo q zi.exe
3688	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings	Client.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
748	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3044	schtasks.exe
1760	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3404	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3404	7zFM.exe
Token: 35	3404	7zFM.exe
Token: SeSecurityPrivilege	3404	7zFM.exe
Token: SeDebugPrivilege	1200	kreo q zi.exe
Token: SeDebugPrivilege	3688	Client.exe
Token: SeSecurityPrivilege	3404	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3404	7zFM.exe
3404	7zFM.exe
3404	7zFM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3688	Client.exe
4584	OpenWith.exe
2448	POWERPNT.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 3044	1200	kreo q zi.exe	94
PID 1200 wrote to memory of 3044	1200	kreo q zi.exe	94
PID 1200 wrote to memory of 3688	1200	kreo q zi.exe	96
PID 1200 wrote to memory of 3688	1200	kreo q zi.exe	96
PID 3688 wrote to memory of 1760	3688	Client.exe	97
PID 3688 wrote to memory of 1760	3688	Client.exe	97
PID 3688 wrote to memory of 2448	3688	Client.exe	102
PID 3688 wrote to memory of 2448	3688	Client.exe	102
PID 3688 wrote to memory of 2448	3688	Client.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3404

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3044
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1760
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\CheckpointRequest.ppsx" /ou ""
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\DismountClear.gif"
    3⤵
    PID:3120
- - C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\DismountLimit.gif"
    3⤵
    PID:3444
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\DismountUnpublish.DVR-MS"
    3⤵
    PID:2608
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ExitConvert.css
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:748
- - C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\ExitMeasure.jpe"
    3⤵
    PID:1692
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\AppData\Roaming\GetCopy.xltm"
    3⤵
    PID:1852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\InvokeRestart.html
    3⤵
    PID:696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x144,0x148,0x40,0x14c,0x7ffb909346f8,0x7ffb90934708,0x7ffb90934718
      4⤵
      PID:228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,4005280040368945341,789141195221662251,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:5228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,4005280040368945341,789141195221662251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      PID:5236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,4005280040368945341,789141195221662251,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
      4⤵
      PID:5248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4005280040368945341,789141195221662251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:5560
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\MountSave.aiff"
    3⤵
    PID:5400
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\PopExpand.M2V"
    3⤵
    PID:5548
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\ReceiveDeny.ogg"
    3⤵
    PID:4992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2516
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  PID:668
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
PID:1296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2905b2a304443857a2afa4fc0b12fa24

SHA1
6266f131d70f5555e996420f20fa99c425074ec3

SHA256
5298bdb27d48c2c2b5e67bdd435445ef5b06d9b36c11394705b413ff3d0f51f3

SHA512
df85de0c817350d8ca3346def1db8653aaee51705822b4c4484c97e7d31282a2936fa516d68c298dcbbb293b044aa7101b3de0c7852c26e98ac6c91415162b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5391bd7b113cd90892553d8e903382f

SHA1
2a164e328c5ce2fc41f3225c65ec7e88c8be68a5

SHA256
fd9710650fc6774ce452b01fb37799cd64d3cdc282ac693e918e38322349fe79

SHA512
41957bea3e09c2f69487592df334edc6e3e6de3ab71beb64d9b6d9ce015e02a801b4215344d5d99765abe8ab2396394ac4664fced9f871204453a79463cc7825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
8020a91c2bdaa50560fc3b697ac2eefc

SHA1
60d1e3821e29f8e16c9b31955fab377cc9eb280e

SHA256
0210df3b6199564c7f87ff52d7c6c68c54bcfead35354e995c3c8a77fcff8f83

SHA512
16d9fe99461753c7b0c62b4c7075a2fd954461bbe80cf964c36d7e13d367e177a0d981db2aca2dbb51146f47a9bc02478763f13fbd25c7ab3f1c62a2934edbe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ad9709100fb43b77314ee7765b27828

SHA1
5cd0c406c08c9c1073b0c08169ccaffbd4ef6b98

SHA256
04b61824ffce6fdbae4e6a527ae58b85813226ee28fe4d631feb76b5f936a1a9

SHA512
fc55ee34b1107e298f2cfcb20dce42b5dbc98a7b68e72ed80a6ea594f66dff6f9e9cb70ad5ccbf5ad2171275f375abac1defd8dad4118afa280cd9c1d9f6a538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
063793e4ba784832026ec8bc3528f7f1

SHA1
687d03823d7ab8954826f753a645426cff3c5db4

SHA256
cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd

SHA512
225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
21d1fbf1927275a1d65517c09f1b4761

SHA1
c863b4d32e06c2ad92bb29ba7cd3f86981f57ae2

SHA256
e631d5f93ee7bd6a90bf8340d8517d7177312ae808e7d455bf008978aa16be5a

SHA512
7439807e1032f4f765036dbcf464fe0cea5513b158d30faf5c2dbe77cd3b1e78394c65b892d3b4656059a4dade1bd672320216b00569559c716a1b684260de3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FDA5EE0C-95C1-4C21-998C-25067F411608

Filesize
174KB

MD5
af08c9f30927570312b17e40079eb808

SHA1
157e2a0f0923c02c1cda5df3fef69ca6564390cd

SHA256
05e7805cc98153b15f8dceec8e81e086ff74a8d8459105e2e45973ff11289c7a

SHA512
7a3b651bf779efe2b0b8de647164cd361b5b245123b3688063053fab2746c5e21310c9fb8506bce72216776e85be7698ac4b73a4028310589af377fa94dd4336

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
a2aa473f1d57138b58dc938fbbe42ffe

SHA1
4b356319dd4fb4aca71d20958773263660e709ab

SHA256
3bc4b936686b998c462d5b49ea4fb9e9a8804da0875e467f30ec9de1fbe33897

SHA512
40d0354a3720cb3e51ce5a5d5fa2736bbd80765e40baf4bbecc64e71ba3ceb89c5db7283a1f03107fbd69eaebe387bca2d78a09afbf9ef4e34b4ef15e5ed260b

Download Submit
C:\Users\Admin\Desktop\kreo q zi.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
23cc27c19a1f9d705feaf91df3bc885f

SHA1
39872501426de09e32fbb38d93ac8553613709fa

SHA256
b46840b7fc992a683256e039a8b38a89444118e291241999ab1f6a9ff7e9f023

SHA512
c2d93ff0e7c90342c7ebb287ad228948b293e91c52500d23b1beffd18ed7c157c9b4007d8631d464f57dde43077ad913c67f20cc76be3fe0edbbd53216f395cf

Download Submit
memory/1200-5-0x0000000000F80000-0x00000000012A4000-memory.dmp

Filesize
3.1MB

Download
memory/1200-4-0x00007FFBA8363000-0x00007FFBA8365000-memory.dmp

Filesize
8KB

Download
memory/1200-6-0x00007FFBA8360000-0x00007FFBA8E22000-memory.dmp

Filesize
10.8MB

Download
memory/1200-9-0x00007FFBA8360000-0x00007FFBA8E22000-memory.dmp

Filesize
10.8MB

Download
memory/2448-22-0x00007FFB85950000-0x00007FFB85960000-memory.dmp

Filesize
64KB

Download
memory/2448-19-0x00007FFB87F10000-0x00007FFB87F20000-memory.dmp

Filesize
64KB

Download
memory/2448-21-0x00007FFB85950000-0x00007FFB85960000-memory.dmp

Filesize
64KB

Download
memory/2448-16-0x00007FFB87F10000-0x00007FFB87F20000-memory.dmp

Filesize
64KB

Download
memory/2448-20-0x00007FFB87F10000-0x00007FFB87F20000-memory.dmp

Filesize
64KB

Download
memory/2448-18-0x00007FFB87F10000-0x00007FFB87F20000-memory.dmp

Filesize
64KB

Download
memory/2448-17-0x00007FFB87F10000-0x00007FFB87F20000-memory.dmp

Filesize
64KB

Download
memory/2516-67-0x000000000A7C0000-0x000000000A7D0000-memory.dmp

Filesize
64KB

Download
memory/2516-70-0x000000000A7C0000-0x000000000A7D0000-memory.dmp

Filesize
64KB

Download
memory/2516-71-0x000000000A7C0000-0x000000000A7D0000-memory.dmp

Filesize
64KB

Download
memory/2516-66-0x000000000A7C0000-0x000000000A7D0000-memory.dmp

Filesize
64KB

Download
memory/2516-72-0x000000000A7C0000-0x000000000A7D0000-memory.dmp

Filesize
64KB

Download
memory/2516-64-0x0000000008010000-0x0000000008020000-memory.dmp

Filesize
64KB

Download
memory/2516-65-0x000000000A7C0000-0x000000000A7D0000-memory.dmp

Filesize
64KB

Download
memory/2516-68-0x000000000A7C0000-0x000000000A7D0000-memory.dmp

Filesize
64KB

Download
memory/2516-69-0x000000000A7C0000-0x000000000A7D0000-memory.dmp

Filesize
64KB

Download
memory/3688-180-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-188-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-11-0x000000001C360000-0x000000001C412000-memory.dmp

Filesize
712KB

Download
memory/3688-186-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-14-0x000000001C300000-0x000000001C312000-memory.dmp

Filesize
72KB

Download
memory/3688-177-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-187-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-179-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-182-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-181-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-15-0x000000001CE60000-0x000000001CE9C000-memory.dmp

Filesize
240KB

Download
memory/3688-183-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-178-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-190-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-189-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-10-0x000000001B110000-0x000000001B160000-memory.dmp

Filesize
320KB

Download
memory/3688-194-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-193-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-191-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/3688-192-0x000000001D650000-0x000000001D660000-memory.dmp

Filesize
64KB

Download
memory/4992-210-0x00007FFBB94C0000-0x00007FFBB94F4000-memory.dmp

Filesize
208KB

Download
memory/4992-214-0x00007FFBBCDD0000-0x00007FFBBCDE1000-memory.dmp

Filesize
68KB

Download
memory/5400-133-0x00007FFBBCDD0000-0x00007FFBBCDE1000-memory.dmp

Filesize
68KB

Download
memory/5400-130-0x00007FFB99FB0000-0x00007FFB9A266000-memory.dmp

Filesize
2.7MB

Download
memory/5400-132-0x00007FFBBD0C0000-0x00007FFBBD0D7000-memory.dmp

Filesize
92KB

Download
memory/5548-201-0x00007FFBBCDD0000-0x00007FFBBCDE1000-memory.dmp

Filesize
68KB

Download
memory/5548-198-0x00007FFB99FB0000-0x00007FFB9A266000-memory.dmp

Filesize
2.7MB

Download
memory/5548-200-0x00007FFBBD0C0000-0x00007FFBBD0D7000-memory.dmp

Filesize
92KB

Download
memory/5548-199-0x00007FFBBF350000-0x00007FFBBF368000-memory.dmp

Filesize
96KB

Download
memory/5548-196-0x00007FF6E10A0000-0x00007FF6E1198000-memory.dmp

Filesize
992KB

Download
memory/5548-197-0x00007FFBB94C0000-0x00007FFBB94F4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads