quasar | 5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Size

498KB
MD5

0b289f42527f29b5080b2c27f1b81abc
SHA1

b4609368985d9c37c5b3b1bed3098360a7e2bd52
SHA256

5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8
SHA512

0af17966a2b3291f25dac48600360ae59f3e235162f9c3b5cb676a331089ac52e33e228df0b4471b946d2934cf0d4a880392f7b8690485741b2426474b7289e4
SSDEEP

12288:3bTrOWFYTzFpaioEoKibiDfq1NznYtK++0AY8fV2Ex82HzlGnmtwa4JwaC1rFDZU:rOWFepgio59nMKj0ABV2+Y7J1H

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
	2	ip-api.com	Process not Found
	10	ip-api.com	Process not Found
	17	ip-api.com	Process not Found

Quasar family
quasar

Executes dropped EXE 14 IoCs

pid	Process
2800	dllchost.exe
980	dllchost.exe
1312	dllchost.exe
2304	dllchost.exe
556	dllchost.exe
1592	dllchost.exe
2780	dllchost.exe
372	dllchost.exe
2276	dllchost.exe
1972	dllchost.exe
3036	dllchost.exe
2596	dllchost.exe
2020	dllchost.exe
660	dllchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
10	ip-api.com
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2784	PING.EXE
2888	PING.EXE
1976	PING.EXE
1104	PING.EXE
1916	PING.EXE
2748	PING.EXE
1620	PING.EXE
3052	PING.EXE
880	PING.EXE
2976	PING.EXE
716	PING.EXE
2712	PING.EXE
1868	PING.EXE
2316	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
880	PING.EXE
1868	PING.EXE
716	PING.EXE
2976	PING.EXE
1916	PING.EXE
1620	PING.EXE
2784	PING.EXE
2712	PING.EXE
2316	PING.EXE
1104	PING.EXE
1976	PING.EXE
2888	PING.EXE
3052	PING.EXE
2748	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2948	schtasks.exe
2664	schtasks.exe
1740	schtasks.exe
2584	schtasks.exe
2756	schtasks.exe
2664	schtasks.exe
1784	schtasks.exe
3044	schtasks.exe
2344	schtasks.exe
1700	schtasks.exe
2796	schtasks.exe
1732	schtasks.exe
568	schtasks.exe
2876	schtasks.exe
1992	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Token: SeDebugPrivilege	2800	dllchost.exe
Token: SeDebugPrivilege	980	dllchost.exe
Token: SeDebugPrivilege	1312	dllchost.exe
Token: SeDebugPrivilege	2304	dllchost.exe
Token: SeDebugPrivilege	556	dllchost.exe
Token: SeDebugPrivilege	1592	dllchost.exe
Token: SeDebugPrivilege	2780	dllchost.exe
Token: SeDebugPrivilege	372	dllchost.exe
Token: SeDebugPrivilege	2276	dllchost.exe
Token: SeDebugPrivilege	1972	dllchost.exe
Token: SeDebugPrivilege	3036	dllchost.exe
Token: SeDebugPrivilege	2596	dllchost.exe
Token: SeDebugPrivilege	2020	dllchost.exe
Token: SeDebugPrivilege	660	dllchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2664	2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	31
PID 2640 wrote to memory of 2664	2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	31
PID 2640 wrote to memory of 2664	2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	31
PID 2640 wrote to memory of 2664	2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	31
PID 2640 wrote to memory of 2800	2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	33
PID 2640 wrote to memory of 2800	2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	33
PID 2640 wrote to memory of 2800	2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	33
PID 2640 wrote to memory of 2800	2640	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	33
PID 2800 wrote to memory of 2584	2800	dllchost.exe	34
PID 2800 wrote to memory of 2584	2800	dllchost.exe	34
PID 2800 wrote to memory of 2584	2800	dllchost.exe	34
PID 2800 wrote to memory of 2584	2800	dllchost.exe	34
PID 2800 wrote to memory of 2556	2800	dllchost.exe	36
PID 2800 wrote to memory of 2556	2800	dllchost.exe	36
PID 2800 wrote to memory of 2556	2800	dllchost.exe	36
PID 2800 wrote to memory of 2556	2800	dllchost.exe	36
PID 2556 wrote to memory of 2636	2556	cmd.exe	38
PID 2556 wrote to memory of 2636	2556	cmd.exe	38
PID 2556 wrote to memory of 2636	2556	cmd.exe	38
PID 2556 wrote to memory of 2636	2556	cmd.exe	38
PID 2556 wrote to memory of 3052	2556	cmd.exe	39
PID 2556 wrote to memory of 3052	2556	cmd.exe	39
PID 2556 wrote to memory of 3052	2556	cmd.exe	39
PID 2556 wrote to memory of 3052	2556	cmd.exe	39
PID 2556 wrote to memory of 980	2556	cmd.exe	40
PID 2556 wrote to memory of 980	2556	cmd.exe	40
PID 2556 wrote to memory of 980	2556	cmd.exe	40
PID 2556 wrote to memory of 980	2556	cmd.exe	40
PID 980 wrote to memory of 2948	980	dllchost.exe	41
PID 980 wrote to memory of 2948	980	dllchost.exe	41
PID 980 wrote to memory of 2948	980	dllchost.exe	41
PID 980 wrote to memory of 2948	980	dllchost.exe	41
PID 980 wrote to memory of 2952	980	dllchost.exe	43
PID 980 wrote to memory of 2952	980	dllchost.exe	43
PID 980 wrote to memory of 2952	980	dllchost.exe	43
PID 980 wrote to memory of 2952	980	dllchost.exe	43
PID 2952 wrote to memory of 2628	2952	cmd.exe	45
PID 2952 wrote to memory of 2628	2952	cmd.exe	45
PID 2952 wrote to memory of 2628	2952	cmd.exe	45
PID 2952 wrote to memory of 2628	2952	cmd.exe	45
PID 2952 wrote to memory of 2316	2952	cmd.exe	46
PID 2952 wrote to memory of 2316	2952	cmd.exe	46
PID 2952 wrote to memory of 2316	2952	cmd.exe	46
PID 2952 wrote to memory of 2316	2952	cmd.exe	46
PID 2952 wrote to memory of 1312	2952	cmd.exe	48
PID 2952 wrote to memory of 1312	2952	cmd.exe	48
PID 2952 wrote to memory of 1312	2952	cmd.exe	48
PID 2952 wrote to memory of 1312	2952	cmd.exe	48
PID 1312 wrote to memory of 1784	1312	dllchost.exe	49
PID 1312 wrote to memory of 1784	1312	dllchost.exe	49
PID 1312 wrote to memory of 1784	1312	dllchost.exe	49
PID 1312 wrote to memory of 1784	1312	dllchost.exe	49
PID 1312 wrote to memory of 2988	1312	dllchost.exe	51
PID 1312 wrote to memory of 2988	1312	dllchost.exe	51
PID 1312 wrote to memory of 2988	1312	dllchost.exe	51
PID 1312 wrote to memory of 2988	1312	dllchost.exe	51
PID 2988 wrote to memory of 2520	2988	cmd.exe	53
PID 2988 wrote to memory of 2520	2988	cmd.exe	53
PID 2988 wrote to memory of 2520	2988	cmd.exe	53
PID 2988 wrote to memory of 2520	2988	cmd.exe	53
PID 2988 wrote to memory of 1104	2988	cmd.exe	54
PID 2988 wrote to memory of 1104	2988	cmd.exe	54
PID 2988 wrote to memory of 1104	2988	cmd.exe	54
PID 2988 wrote to memory of 1104	2988	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
"C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2664
- C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
  "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\0vgd47eubXZ7.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3052
  - - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
      "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hPsERLkD9oyk.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2316
      - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UTmsEhxhKlck.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1104
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4wMz1QjNrQcY.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YoE3N0OtkRNz.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:880
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\h7OhG0ZvVKg3.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ahGudJYnt2us.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\y3APQxQvaH5U.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:716
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VxqCYHFlz5Xo.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\onn8nyMVTY7c.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wU8hw7OFCVtX.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWPsAzH5Mp9j.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\M3qsA4m0C8Iq.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\67wnBgqArGFx.bat" "
        29⤵
        
        PID:524
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0vgd47eubXZ7.bat

Filesize
211B

MD5
169247db471b8ca67afa4be382a1a2ff

SHA1
b870632eef1326d856fbcc713e604147a50f8cca

SHA256
50738974946ee4219b6f76dff9e33c47af4f6a9c3010248dc913b43918c8293d

SHA512
9d89ac59a069e375da75f5d6f09c078c7101755804b28f0e6786676a622ca86c062989bdd0a1cde20f359a55d236507f0d434f17c5c7f6a46ffff77c38872a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4wMz1QjNrQcY.bat

Filesize
211B

MD5
751b074b3368863e6e663b0db7728491

SHA1
1e4aa773b9a10fa2a936150330ff9be4a0977a04

SHA256
f87f7e03b6375614d781131967f478d61616b507621691439f6f32a5b2c5f3f6

SHA512
85d2a5ca43af752aaee1966b69181f6e45abd58102764579d4aeae16b7643d6c905fc657d0cf6c2f2ce13005226d1c23053ecd8f35f6c9848305ed8926b45f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\67wnBgqArGFx.bat

Filesize
211B

MD5
a2e26ea43c770c45c0238e54d353965c

SHA1
908ace871895b45c703faa3ec95a8b448aef8003

SHA256
65a243b35e5a20627442a7e903b59a8f69d72f0ff8e608cdb7bad25ca74b987c

SHA512
ec8c3e7024b20dae801607ecd18cdc468c9010c572b7633de21f0c3aeb8e895ea3ccfaa409d55c18c58180a62bf194289dc3de0d3d7551c587b5392dfc043949

Download Submit
C:\Users\Admin\AppData\Local\Temp\M3qsA4m0C8Iq.bat

Filesize
211B

MD5
35fe9bd6ab004c16bbb17413f22509d2

SHA1
d40d9059d6b28c077cf3a00b8abcde40d5026084

SHA256
031b1a7c062e0a6c2da7aaab32456977f5fec82515d13bd8de24821e7c128ac8

SHA512
61ea8c5e62719801d45345115e2707b4c9145810219e51baf626c4ec1a45e40e5959493382dce9fbd50e18ec4e47ece54db03d0f52e493d82d62c16a324ee497

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTmsEhxhKlck.bat

Filesize
211B

MD5
2e160c5fb476c4fa39ac31b0735d0f7b

SHA1
fba48cd05d19cb96baab27eb2a40a89e79772467

SHA256
f8b3e34bd7d6856e34fb1d66c81db133b0bf4c2f6032b2c619a3ee82be9d0a64

SHA512
206cbf1a416d69653f67a5be0b22ebee577b711333585a51b489a51802777ca28701f41a2c7f5adb49f5e88d3a153c4555fb6edcf28cb745240a5d6a989e7e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\VxqCYHFlz5Xo.bat

Filesize
211B

MD5
20dee44de53272036f4f077f1e78f039

SHA1
85f8909c4de65b7bfe2a420958ee3793e4422691

SHA256
44b0d7fa8cdf6b78786d4422dde9c7f97c63951c8f99c00cd64c49cf12640b50

SHA512
13bcdcd24fb687e69c3e5a374f44d2a2523d66221cb6fe1af21a4e9448bb0e3227144c8177f59d3ad140fa9a160ccb65c96dbc59cc1e51d8026f46de00c305b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoE3N0OtkRNz.bat

Filesize
211B

MD5
6f7c366b2faf3d777d7c5c3ea281f6de

SHA1
8be134455f3c39a3821ae9f815149871f46d8dc4

SHA256
909b5126989384d7ecf7170b041c64a7b0d653fa9fe64e295d9e997eda3bd3bc

SHA512
718b3acfad3a80fba2615dca24c7aa2cba38d5d2d6779253d05de8b51c78cae9b75730a8c3d41b5486ee799e7a9077aebe3e7b4cc2cd72651cf819c5947052ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahGudJYnt2us.bat

Filesize
211B

MD5
92ca60e6d9bc783c4d715625e739b933

SHA1
d2bbcd6e2d35dbbc1c4fa26fb10fd2541ed9fb61

SHA256
f1d4d6f924f61edce0087d0dda7c74fb73a11206d39e7c5ad29dcb448b1c1571

SHA512
fdd19d9e095bb1c050e333f3d185d8d310826f404c9ddfbc43a03dd82103a8855390fe800a21013522fc8abdbe19b4d8efabfd95c5e920bf29c1846edb3cb3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\dWPsAzH5Mp9j.bat

Filesize
211B

MD5
354122f38c82fac01fc0b09e91da2056

SHA1
0b9555f414e4dcbc0dc5f5e014a01f6b58acbb84

SHA256
a41627f1e1f58951bdc33b6a85cd30b6dda45ee3329fa101a42d58aa45d79c39

SHA512
df6c4fd75ca801974c01f8f81276fd455a396ad4723dfa92bff94c97e19950d1d4c1ee3ad6196cab208a947e4572becbd8e3be39a9381011199064734df80188

Download Submit
C:\Users\Admin\AppData\Local\Temp\h7OhG0ZvVKg3.bat

Filesize
211B

MD5
91d06af5a1a50f642bfcc5c3ad366b64

SHA1
a90a2d798ee4e29aefc4a0870a256cd145b25b8a

SHA256
6c04ad84221de3bb0f9dbe338846aa7e58c03b346be44870ba4a3cf189162bd5

SHA512
a9803ca293234029ebfe62bfbc7869f0d60b1beb7e57fa5f186343338ecaf586cecbbdb9bd66de89761bdab1528df7da1396bfbf21cfc281d0144cb7cebe8a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\hPsERLkD9oyk.bat

Filesize
211B

MD5
b97b4828dea08f002dbbe7eb24ae80f2

SHA1
3aff33e49ef7f24bbd9ea592b2282bebf0091062

SHA256
b1ea6629bf944a25e907fe875b4c4daef4fe88f750f562e2a6eb427248e2e377

SHA512
cb12c1473e5b4a67e262f96c1b801214e3db722fb3e128582896398f07e70b98894922720be87a17899d49bccf529d35bc0979d3f50f895d0c22b569293e89c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onn8nyMVTY7c.bat

Filesize
211B

MD5
7a05f5568dd37ecef01bc86076f4a246

SHA1
eb6d13e92dc3800b4a4bab2fb3835ed31c1bf0c0

SHA256
f5b9b554bc20b0f6874a236a81ead84fa9aaee1a780f2f69a2577991c5aebb87

SHA512
f77adc95ec59ea00ab99ec28613a4f22ab2d09e152696337fdf773063297b843bbc058da1661daa2900d6b57926d022c772aba34f613425ccc793b52e22ea2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wU8hw7OFCVtX.bat

Filesize
211B

MD5
db89af4df4aeb2ce9cf0d1d3c8567892

SHA1
645cf6e0c8753fe3443a27cc6532d6ba50a796a8

SHA256
c0cb7a2c92df5af2b67cc9beaa5ba567852e83d07d7566672a56783f9644dd2b

SHA512
4921f983e37672035e7def3bd0575a0a73f488a3e8dd8f27ab0b19a57143ef483a2e379b9d388cf8aa7390cbbe9f526d791680deddb1b76053c580b1d260f472

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3APQxQvaH5U.bat

Filesize
211B

MD5
82c6ef787426c19079e557a9a7434dbc

SHA1
c702af759a8fd51e90bbc5e5c77d3b7861a41f5c

SHA256
e1e75e0fe940ac749cf9865dccd3588d9533be6d3c722ee0e8677a054d4dea65

SHA512
779241f7ce4e4152d19e3bf380b3abcd952107f3509a7088ba6f1b1ea429558e3f26169d89fdfead03dcc8354bb25a063992280c739e8396ff1e5d75b931d723

Download Submit
\Users\Admin\AppData\Roaming\dllchost\dllchost.exe

Filesize
498KB

MD5
0b289f42527f29b5080b2c27f1b81abc

SHA1
b4609368985d9c37c5b3b1bed3098360a7e2bd52

SHA256
5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8

SHA512
0af17966a2b3291f25dac48600360ae59f3e235162f9c3b5cb676a331089ac52e33e228df0b4471b946d2934cf0d4a880392f7b8690485741b2426474b7289e4

Download Submit
memory/372-92-0x0000000000200000-0x0000000000282000-memory.dmp

Filesize
520KB

Download
memory/556-59-0x0000000000BC0000-0x0000000000C42000-memory.dmp

Filesize
520KB

Download
memory/660-158-0x0000000000230000-0x00000000002B2000-memory.dmp

Filesize
520KB

Download
memory/980-26-0x0000000001260000-0x00000000012E2000-memory.dmp

Filesize
520KB

Download
memory/1312-37-0x0000000000140000-0x00000000001C2000-memory.dmp

Filesize
520KB

Download
memory/1592-70-0x00000000012D0000-0x0000000001352000-memory.dmp

Filesize
520KB

Download
memory/1972-114-0x0000000001060000-0x00000000010E2000-memory.dmp

Filesize
520KB

Download
memory/2020-147-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/2276-103-0x0000000000300000-0x0000000000382000-memory.dmp

Filesize
520KB

Download
memory/2304-48-0x0000000000BC0000-0x0000000000C42000-memory.dmp

Filesize
520KB

Download
memory/2596-136-0x0000000001060000-0x00000000010E2000-memory.dmp

Filesize
520KB

Download
memory/2640-13-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2640-4-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2640-3-0x00000000008F0000-0x00000000008F6000-memory.dmp

Filesize
24KB

Download
memory/2640-2-0x00000000048E0000-0x00000000049BC000-memory.dmp

Filesize
880KB

Download
memory/2640-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/2640-1-0x00000000009C0000-0x0000000000A42000-memory.dmp

Filesize
520KB

Download
memory/2780-81-0x00000000002C0000-0x0000000000342000-memory.dmp

Filesize
520KB

Download
memory/2800-12-0x0000000001260000-0x00000000012E2000-memory.dmp

Filesize
520KB

Download
memory/2800-14-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2800-11-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2800-24-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/3036-125-0x0000000001060000-0x00000000010E2000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads