quasar | 537a88d2c2c8cee418e6b1da94d655caa0ece2beb6c04fe1f96aeb199d87eded

Analysis

max time kernel
2s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 12:13

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Paypal cracker.exe
Size

6.6MB
MD5

5627dd16f023b8be51ed365d2fb6fee5
SHA1

fcccce747bf6c824233cfda366798fa0467d3daf
SHA256

2e2f6fe5b310d843656af43b60c0faddf6eb0f329efc8353272437db44b5f247
SHA512

e475f903d2afd4c1b985f368f77610270df54bb8207130f6339e59595777718cfadadbb732775523a11aa035cbbf3c6d81896a33d84b40f6c01f182a1654f637
SSDEEP

98304:xRlI+LjNr86mjj/UYviu26bbyKS2myX0rPpIh1KcV:xRlVmj72wblTmyEpG17V

Score

10^/10

quasar windows security discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

quasarrat220-24487.portmap.io:24487

Mutex

VNM_MUTEX_mOPqShedZxvAqgLrWL

Attributes

encryption_key
7mvA2TfKjvMIY0zZeMKF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0007000000023c7d-15.dat	disable_win_def
behavioral2/files/0x0007000000023c83-42.dat	disable_win_def
behavioral2/memory/4684-46-0x0000000000CE0000-0x0000000000D6C000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c7d-15.dat	family_quasar
behavioral2/files/0x0007000000023c83-42.dat	family_quasar
behavioral2/memory/4684-46-0x0000000000CE0000-0x0000000000D6C000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Checker.exe

Executes dropped EXE 7 IoCs

pid	Process
312	systemsvc.exe
5000	systemkvc.exe
4084	Checker.exe
816	PAYPAL.EXE
4684	WINDOWS SECURITY.EXE
3084	6D9F65648AD.exe
5004	ZuJABC1.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\ADC8807895EC2284582127\\ADC8807895EC2284582127.exe"	systemsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\ADC8807895EC2284582127\\ADC8807895EC2284582127.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3AXA2J5D2JEC = "C:\\Services\\6D9F65648AD.exe"	ZuJABC1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 312 set thread context of 3024	312	systemsvc.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4232	4684	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6D9F65648AD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZuJABC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemkvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAYPAL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWS SECURITY.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2192	PING.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	ZuJABC1.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\PhishingFilter	ZuJABC1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	ZuJABC1.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery	ZuJABC1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	ZuJABC1.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2192	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4272	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
5000	systemkvc.exe
5000	systemkvc.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
5000	systemkvc.exe
5000	systemkvc.exe
3084	6D9F65648AD.exe
3084	6D9F65648AD.exe
5004	ZuJABC1.exe
5004	ZuJABC1.exe
5004	ZuJABC1.exe
5004	ZuJABC1.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	312	systemsvc.exe
Token: SeSecurityPrivilege	312	systemsvc.exe
Token: SeTakeOwnershipPrivilege	312	systemsvc.exe
Token: SeLoadDriverPrivilege	312	systemsvc.exe
Token: SeSystemProfilePrivilege	312	systemsvc.exe
Token: SeSystemtimePrivilege	312	systemsvc.exe
Token: SeProfSingleProcessPrivilege	312	systemsvc.exe
Token: SeIncBasePriorityPrivilege	312	systemsvc.exe
Token: SeCreatePagefilePrivilege	312	systemsvc.exe
Token: SeBackupPrivilege	312	systemsvc.exe
Token: SeRestorePrivilege	312	systemsvc.exe
Token: SeShutdownPrivilege	312	systemsvc.exe
Token: SeDebugPrivilege	312	systemsvc.exe
Token: SeSystemEnvironmentPrivilege	312	systemsvc.exe
Token: SeRemoteShutdownPrivilege	312	systemsvc.exe
Token: SeUndockPrivilege	312	systemsvc.exe
Token: SeManageVolumePrivilege	312	systemsvc.exe
Token: 33	312	systemsvc.exe
Token: 34	312	systemsvc.exe
Token: 35	312	systemsvc.exe
Token: 36	312	systemsvc.exe
Token: SeDebugPrivilege	5000	systemkvc.exe
Token: SeDebugPrivilege	5000	systemkvc.exe
Token: SeIncreaseQuotaPrivilege	3024	svchost.exe
Token: SeSecurityPrivilege	3024	svchost.exe
Token: SeTakeOwnershipPrivilege	3024	svchost.exe
Token: SeLoadDriverPrivilege	3024	svchost.exe
Token: SeSystemProfilePrivilege	3024	svchost.exe
Token: SeSystemtimePrivilege	3024	svchost.exe
Token: SeProfSingleProcessPrivilege	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: SeCreatePagefilePrivilege	3024	svchost.exe
Token: SeBackupPrivilege	3024	svchost.exe
Token: SeRestorePrivilege	3024	svchost.exe
Token: SeShutdownPrivilege	3024	svchost.exe
Token: SeDebugPrivilege	3024	svchost.exe
Token: SeSystemEnvironmentPrivilege	3024	svchost.exe
Token: SeRemoteShutdownPrivilege	3024	svchost.exe
Token: SeUndockPrivilege	3024	svchost.exe
Token: SeManageVolumePrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: 34	3024	svchost.exe
Token: 35	3024	svchost.exe
Token: 36	3024	svchost.exe
Token: SeDebugPrivilege	5000	systemkvc.exe
Token: SeDebugPrivilege	5000	systemkvc.exe
Token: SeDebugPrivilege	3084	6D9F65648AD.exe
Token: SeDebugPrivilege	3084	6D9F65648AD.exe
Token: SeDebugPrivilege	5004	ZuJABC1.exe
Token: SeDebugPrivilege	5004	ZuJABC1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
816	PAYPAL.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 312	4500	Paypal cracker.exe	85
PID 4500 wrote to memory of 312	4500	Paypal cracker.exe	85
PID 4500 wrote to memory of 5000	4500	Paypal cracker.exe	86
PID 4500 wrote to memory of 5000	4500	Paypal cracker.exe	86
PID 4500 wrote to memory of 5000	4500	Paypal cracker.exe	86
PID 4500 wrote to memory of 4084	4500	Paypal cracker.exe	87
PID 4500 wrote to memory of 4084	4500	Paypal cracker.exe	87
PID 4500 wrote to memory of 4084	4500	Paypal cracker.exe	87
PID 4084 wrote to memory of 816	4084	Checker.exe	88
PID 4084 wrote to memory of 816	4084	Checker.exe	88
PID 4084 wrote to memory of 816	4084	Checker.exe	88
PID 4084 wrote to memory of 4684	4084	Checker.exe	89
PID 4084 wrote to memory of 4684	4084	Checker.exe	89
PID 4084 wrote to memory of 4684	4084	Checker.exe	89
PID 312 wrote to memory of 3024	312	systemsvc.exe	90
PID 312 wrote to memory of 3024	312	systemsvc.exe	90
PID 312 wrote to memory of 3024	312	systemsvc.exe	90
PID 5000 wrote to memory of 3084	5000	systemkvc.exe	91
PID 5000 wrote to memory of 3084	5000	systemkvc.exe	91
PID 5000 wrote to memory of 3084	5000	systemkvc.exe	91
PID 3084 wrote to memory of 5004	3084	6D9F65648AD.exe	92
PID 3084 wrote to memory of 5004	3084	6D9F65648AD.exe	92
PID 3084 wrote to memory of 5004	3084	6D9F65648AD.exe	92
PID 3084 wrote to memory of 5004	3084	6D9F65648AD.exe	92
PID 3084 wrote to memory of 5004	3084	6D9F65648AD.exe	92
PID 5004 wrote to memory of 5000	5004	ZuJABC1.exe	86
PID 5004 wrote to memory of 5000	5004	ZuJABC1.exe	86
PID 5004 wrote to memory of 5000	5004	ZuJABC1.exe	86
PID 5004 wrote to memory of 5000	5004	ZuJABC1.exe	86
PID 5004 wrote to memory of 816	5004	ZuJABC1.exe	88
PID 5004 wrote to memory of 816	5004	ZuJABC1.exe	88
PID 5004 wrote to memory of 816	5004	ZuJABC1.exe	88
PID 5004 wrote to memory of 816	5004	ZuJABC1.exe	88
PID 5004 wrote to memory of 4684	5004	ZuJABC1.exe	89
PID 5004 wrote to memory of 4684	5004	ZuJABC1.exe	89
PID 5004 wrote to memory of 4684	5004	ZuJABC1.exe	89
PID 5004 wrote to memory of 4684	5004	ZuJABC1.exe	89

C:\Users\Admin\AppData\Local\Temp\Paypal cracker.exe
"C:\Users\Admin\AppData\Local\Temp\Paypal cracker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Roaming\systemsvc.exe
  "C:\Users\Admin\AppData\Roaming\systemsvc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Users\Admin\AppData\Roaming\systemkvc.exe
  "C:\Users\Admin\AppData\Roaming\systemkvc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Services\6D9F65648AD.exe
    "C:\Services\6D9F65648AD.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\ZuJABC1.exe
      "C:\Users\Admin\AppData\Local\Temp\ZuJABC1.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5004
- C:\Users\Admin\AppData\Local\Temp\Checker.exe
  "Checker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4684
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PPvcAAxiZXhc.bat" "
      4⤵
      PID:2516
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:712
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2228
      4⤵
      Program crash
      PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4684 -ip 4684
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Services\99589C66330ACC6

Filesize
34KB

MD5
6a172fdb857f0ac1921efc443e407e7d

SHA1
9401bd19abe0750b866625107f146c1cf55c75b8

SHA256
ab3adcd792f9526fc8634b1de30773d74becadaf056c8d3b1aeee1641f4d640b

SHA512
195a632b76a2a19227cbd1364b810148764c6e5b94971d3e34f93e83d38d410d122db52671a9ebca4087e0216361c6e54db7f959a83832cb5ca2d769cec04ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe

Filesize
5.9MB

MD5
3425a9f00842bf28a0bafc5c1571b881

SHA1
3009eca32bcf159981d37a8620836b1d215aa33e

SHA256
7328321fccd71cfda94a18656158ce54b0e3a0831d48f46f559b442a33a1790a

SHA512
868b816f376a3bc38d24850808eb5410e4037acedd0849ad73868065525444a4cca54e3484d5ac0b14523217f3d6da24fc6132942632653439f0ea5310084bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE

Filesize
5.3MB

MD5
341b34b571af06277c2f3b4156bd86df

SHA1
ba120240400cc6dcf0e92e732d4f460f3763102b

SHA256
9a579053ee79c9ee45e29ac1887aba8cb87936c01026b5f3d830456547adc441

SHA512
2cbb482d2e087e18b7461c9a317aa249adf12821de17d6dd59f3c17e01394047df31e875a551d23d32a64a46f8db46003c2feced7e967dd159bc65d3bff76e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPvcAAxiZXhc.bat

Filesize
213B

MD5
ceb943a7b4f223e2a5a3f4762b019a6e

SHA1
3e577234579efdcc816a8a7929f91b98395d38b2

SHA256
d6bf1029ca71bb083f06bb4fb8e7e775c893fe35226eeaed89545b461f7389eb

SHA512
583a9300c224e5719406e78c0718c1a0a7f4f089e3c9730cd0547d754a4f2d923394acf1e5c736515fbe7b5e3e019490aa4c4b47e22b2139f4521487da899f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE

Filesize
534KB

MD5
9e14775490cee79c73cb45c2f24f7a73

SHA1
ddd6c7485a5e64a66a0a7598777abdafa7a63950

SHA256
d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e

SHA512
1c0aec61a64400bcf18f6f0e5a950c68b7a25492b07290e3793a759f616c1b361ed6472d260d0f379b691567216a1f9e53af53b2dc89711df618a4463c8d0317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZuJABC1.exe

Filesize
3KB

MD5
29090b6b4d6605a97ac760d06436ac2d

SHA1
d929d3389642e52bae5ad8512293c9c4d3e4fab5

SHA256
98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

SHA512
9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be

Download Submit
C:\Users\Admin\AppData\Roaming\systemkvc.exe

Filesize
355KB

MD5
33ed3913ea48a41363644e37261fddc2

SHA1
f52b405849a5bcffa792ee44643c7d6c9db9044f

SHA256
3859cde03ca6389bb5973e274ab9da5b51b9593a319e1b16330225b2aea8bd63

SHA512
1b4c87215b7da10166ddfc9a9f214a8fc4292905517f4632fea937fd5aff83f8cec3c99cf15dac0d6d34f0a180b592e2f3fc8346e6aa52bcf064c396b547e053

Download Submit
C:\Users\Admin\AppData\Roaming\systemsvc.exe

Filesize
299KB

MD5
5d5392e5c3edac5337a75692f75b4c8e

SHA1
80b9f25c4162e69fc24a5a056e2c3fc029b68f02

SHA256
e7c8df1d1cf7e5abf9c6c025ee99acad9ce907d5f584bb38c5eeb32706251109

SHA512
15141c710c41ff75b23b8b406d91b105dcfe5bb8819ae067baf1d2383a599e081ce14c978bdae151129352ccb096cd587e4ab1bf4f0995c284907e606ed66227

Download Submit
memory/816-81-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/816-95-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/816-43-0x0000000000400000-0x0000000000B2B000-memory.dmp

Filesize
7.2MB

Download
memory/3084-66-0x0000000000CE0000-0x0000000000D3C000-memory.dmp

Filesize
368KB

Download
memory/4684-46-0x0000000000CE0000-0x0000000000D6C000-memory.dmp

Filesize
560KB

Download
memory/4684-120-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-47-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4684-110-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-111-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-187-0x0000000006D20000-0x0000000006D2A000-memory.dmp

Filesize
40KB

Download
memory/4684-112-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-80-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4684-113-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-93-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4684-114-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-115-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-122-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-126-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-116-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-117-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-184-0x00000000069A0000-0x00000000069DC000-memory.dmp

Filesize
240KB

Download
memory/4684-118-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-105-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/4684-127-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-125-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-124-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-183-0x0000000005AF0000-0x0000000005B02000-memory.dmp

Filesize
72KB

Download
memory/4684-123-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-121-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/4684-48-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/4684-119-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/5000-13-0x0000000000050000-0x00000000000AC000-memory.dmp

Filesize
368KB

Download
memory/5000-49-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/5000-50-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/5000-22-0x00000000010D0000-0x00000000011D0000-memory.dmp

Filesize
1024KB

Download
memory/5000-21-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/5000-19-0x00000000010D0000-0x00000000011D0000-memory.dmp

Filesize
1024KB

Download
memory/5000-18-0x00000000010D0000-0x00000000011D0000-memory.dmp

Filesize
1024KB

Download
memory/5000-191-0x0000000000050000-0x00000000000AC000-memory.dmp

Filesize
368KB

Download
memory/5004-71-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/5004-109-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-107-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-106-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-103-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-104-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-102-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-101-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-79-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-100-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-99-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-97-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-61-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/5004-65-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/5004-67-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/5004-68-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/5004-92-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-91-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-90-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-89-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-88-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-87-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-86-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-85-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-84-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-83-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-82-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-98-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/5004-70-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/5004-72-0x0000000000550000-0x0000000000566000-memory.dmp

Filesize
88KB

Download
memory/5004-73-0x0000000000550000-0x0000000000566000-memory.dmp

Filesize
88KB

Download
memory/5004-74-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads