quasar | a700c208e84d5427566a321f204bce16f8b7d5a3655bd76b6637920f46289172

General

Target

Timsistem_Product_Specifications - 2020.07.16.exe
Size

740KB
MD5

bf7fe4334d0b4363d70bd997460588a3
SHA1

dcba20338c5dbde13a8189f0d154e3d650cca99c
SHA256

bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2
SHA512

be3739a91180dfc1c391045fe2f9a27be3303f6a8c042cee8af7c0bca73483768c33dd806a464a7fdee1b4203135b1fde132a3edc86bd3122ba83f4b993ac4fa
SSDEEP

12288:E1bl3SKiQ9X5M1EL6GgmV5hT82Hnb6tY1CoO4SOSWGbz3hLkbLvhu:OVoQ9EWe23Q0b6tYbO4e3t

Score

10^/10

quasar alexia-station spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Alexia-Station

C2

79.134.225.69:4782

Mutex

QSR_MUTEX_UR8lkLH1hfB8BFkqFf

Attributes

encryption_key
gO53Ewkmsbtfm9kB1s5G
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1736-27-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral1/memory/1736-26-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral1/memory/1736-30-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral1/memory/1736-29-0x00000000004D0000-0x0000000000532000-memory.dmp	family_quasar
behavioral1/memory/1736-28-0x00000000004D0000-0x0000000000532000-memory.dmp	family_quasar
behavioral1/memory/1736-59-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral1/memory/2268-77-0x00000000004D0000-0x0000000000532000-memory.dmp	family_quasar
behavioral1/memory/2268-88-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral1/memory/1588-97-0x0000000000550000-0x00000000005B2000-memory.dmp	family_quasar
behavioral1/memory/1588-110-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral1/memory/2556-129-0x00000000007F0000-0x0000000000852000-memory.dmp	family_quasar
behavioral1/memory/2556-135-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral1/memory/2268-136-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar

Drops startup file 2 IoCs

Processes:

notepad.exenotepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs	notepad.exe

Executes dropped EXE 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2948	svchost.exe
1736	svchost.exe
2400	svchost.exe
2580	svchost.exe
2316	svchost.exe
1228	svchost.exe
2268	svchost.exe
1352	svchost.exe
1588	svchost.exe
1840	svchost.exe
2736	svchost.exe
2556	svchost.exe
2748	svchost.exe

Loads dropped DLL 8 IoCs

Processes:

notepad.exesvchost.exesvchost.exenotepad.exe

pid process

1004 notepad.exe
1004 notepad.exe
2948 svchost.exe
2948 svchost.exe
1736 svchost.exe
1736 svchost.exe
2524 notepad.exe
2524 notepad.exe

pid	process
1004	notepad.exe
1004	notepad.exe
2948	svchost.exe
2948	svchost.exe
1736	svchost.exe
1736	svchost.exe
2524	notepad.exe
2524	notepad.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1736-19-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1736-27-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1736-26-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1736-30-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1736-25-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in System32 directory 5 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2948 set thread context of 1736	2948	svchost.exe	svchost.exe
PID 1228 set thread context of 2268	1228	svchost.exe	svchost.exe
PID 2316 set thread context of 1588	2316	svchost.exe	svchost.exe
PID 2736 set thread context of 2556	2736	svchost.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2604 schtasks.exe

pid	process
2604	schtasks.exe

NTFS ADS 2 IoCs

Processes:

notepad.exenotepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe:ZoneIdentifier	notepad.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

Timsistem_Product_Specifications - 2020.07.16.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2204	Timsistem_Product_Specifications - 2020.07.16.exe
2948	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2400	svchost.exe
2580	svchost.exe
2400	svchost.exe
2400	svchost.exe
1228	svchost.exe
2316	svchost.exe
1840	svchost.exe
1840	svchost.exe
1352	svchost.exe
1352	svchost.exe
1840	svchost.exe
1352	svchost.exe
1840	svchost.exe
1352	svchost.exe
1840	svchost.exe
1352	svchost.exe
1840	svchost.exe
1352	svchost.exe
1840	svchost.exe
1352	svchost.exe
1840	svchost.exe
2736	svchost.exe
2748	svchost.exe
2748	svchost.exe
1352	svchost.exe
2748	svchost.exe
1352	svchost.exe
2748	svchost.exe
1352	svchost.exe
2748	svchost.exe
1352	svchost.exe
2268	svchost.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

pid process

2948 svchost.exe
1228 svchost.exe
2316 svchost.exe
2736 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1736 svchost.exe
Token: SeDebugPrivilege 1588 svchost.exe
Token: SeDebugPrivilege 2268 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1736	svchost.exe
Token: SeDebugPrivilege	1588	svchost.exe
Token: SeDebugPrivilege	2268	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Timsistem_Product_Specifications - 2020.07.16.exenotepad.exesvchost.exesvchost.exesvchost.exenotepad.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2204 wrote to memory of 1004	2204	Timsistem_Product_Specifications - 2020.07.16.exe	notepad.exe
PID 2204 wrote to memory of 1004	2204	Timsistem_Product_Specifications - 2020.07.16.exe	notepad.exe
PID 2204 wrote to memory of 1004	2204	Timsistem_Product_Specifications - 2020.07.16.exe	notepad.exe
PID 2204 wrote to memory of 1004	2204	Timsistem_Product_Specifications - 2020.07.16.exe	notepad.exe
PID 2204 wrote to memory of 1004	2204	Timsistem_Product_Specifications - 2020.07.16.exe	notepad.exe
PID 2204 wrote to memory of 1004	2204	Timsistem_Product_Specifications - 2020.07.16.exe	notepad.exe
PID 1004 wrote to memory of 2948	1004	notepad.exe	svchost.exe
PID 1004 wrote to memory of 2948	1004	notepad.exe	svchost.exe
PID 1004 wrote to memory of 2948	1004	notepad.exe	svchost.exe
PID 1004 wrote to memory of 2948	1004	notepad.exe	svchost.exe
PID 2948 wrote to memory of 1736	2948	svchost.exe	svchost.exe
PID 2948 wrote to memory of 1736	2948	svchost.exe	svchost.exe
PID 2948 wrote to memory of 1736	2948	svchost.exe	svchost.exe
PID 2948 wrote to memory of 1736	2948	svchost.exe	svchost.exe
PID 2948 wrote to memory of 2400	2948	svchost.exe	svchost.exe
PID 2948 wrote to memory of 2400	2948	svchost.exe	svchost.exe
PID 2948 wrote to memory of 2400	2948	svchost.exe	svchost.exe
PID 2948 wrote to memory of 2400	2948	svchost.exe	svchost.exe
PID 1736 wrote to memory of 2604	1736	svchost.exe	schtasks.exe
PID 1736 wrote to memory of 2604	1736	svchost.exe	schtasks.exe
PID 1736 wrote to memory of 2604	1736	svchost.exe	schtasks.exe
PID 1736 wrote to memory of 2604	1736	svchost.exe	schtasks.exe
PID 1736 wrote to memory of 2580	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 2580	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 2580	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 2580	1736	svchost.exe	svchost.exe
PID 2580 wrote to memory of 2524	2580	svchost.exe	notepad.exe
PID 2580 wrote to memory of 2524	2580	svchost.exe	notepad.exe
PID 2580 wrote to memory of 2524	2580	svchost.exe	notepad.exe
PID 2580 wrote to memory of 2524	2580	svchost.exe	notepad.exe
PID 2580 wrote to memory of 2524	2580	svchost.exe	notepad.exe
PID 2580 wrote to memory of 2524	2580	svchost.exe	notepad.exe
PID 2524 wrote to memory of 2316	2524	notepad.exe	svchost.exe
PID 2524 wrote to memory of 2316	2524	notepad.exe	svchost.exe
PID 2524 wrote to memory of 2316	2524	notepad.exe	svchost.exe
PID 2524 wrote to memory of 2316	2524	notepad.exe	svchost.exe
PID 2400 wrote to memory of 1228	2400	svchost.exe	svchost.exe
PID 2400 wrote to memory of 1228	2400	svchost.exe	svchost.exe
PID 2400 wrote to memory of 1228	2400	svchost.exe	svchost.exe
PID 2400 wrote to memory of 1228	2400	svchost.exe	svchost.exe
PID 1228 wrote to memory of 2268	1228	svchost.exe	svchost.exe
PID 1228 wrote to memory of 2268	1228	svchost.exe	svchost.exe
PID 1228 wrote to memory of 2268	1228	svchost.exe	svchost.exe
PID 1228 wrote to memory of 2268	1228	svchost.exe	svchost.exe
PID 1228 wrote to memory of 1352	1228	svchost.exe	svchost.exe
PID 1228 wrote to memory of 1352	1228	svchost.exe	svchost.exe
PID 1228 wrote to memory of 1352	1228	svchost.exe	svchost.exe
PID 1228 wrote to memory of 1352	1228	svchost.exe	svchost.exe
PID 2316 wrote to memory of 1588	2316	svchost.exe	svchost.exe
PID 2316 wrote to memory of 1588	2316	svchost.exe	svchost.exe
PID 2316 wrote to memory of 1588	2316	svchost.exe	svchost.exe
PID 2316 wrote to memory of 1588	2316	svchost.exe	svchost.exe
PID 2316 wrote to memory of 1840	2316	svchost.exe	svchost.exe
PID 2316 wrote to memory of 1840	2316	svchost.exe	svchost.exe
PID 2316 wrote to memory of 1840	2316	svchost.exe	svchost.exe
PID 2316 wrote to memory of 1840	2316	svchost.exe	svchost.exe
PID 1840 wrote to memory of 2736	1840	svchost.exe	svchost.exe
PID 1840 wrote to memory of 2736	1840	svchost.exe	svchost.exe
PID 1840 wrote to memory of 2736	1840	svchost.exe	svchost.exe
PID 1840 wrote to memory of 2736	1840	svchost.exe	svchost.exe
PID 2736 wrote to memory of 2556	2736	svchost.exe	svchost.exe
PID 2736 wrote to memory of 2556	2736	svchost.exe	svchost.exe
PID 2736 wrote to memory of 2556	2736	svchost.exe	svchost.exe
PID 2736 wrote to memory of 2556	2736	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.16.exe
"C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.16.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2604

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1588 259397854
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
10⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2556 259398790
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1736 259395982
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2268 259397791
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs

Filesize
117B

MD5
1e1210e1f4ddf6ef0c8fba38d42fc47d

SHA1
277b28ec9205781e0bb7b83eebebd3a6020d4885

SHA256
be103c639055c00b2f4affc5924292dc638828c496d9dafb171544608dad5944

SHA512
40acb3964bf40743e8ed1175686389197cbde90ae707669c257683bd7d553db8bb43e300b8ac79c238929ff6c015d79c10316064ad211e00d2deb7127625810e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe

Filesize
740KB

MD5
bf7fe4334d0b4363d70bd997460588a3

SHA1
dcba20338c5dbde13a8189f0d154e3d650cca99c

SHA256
bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2

SHA512
be3739a91180dfc1c391045fe2f9a27be3303f6a8c042cee8af7c0bca73483768c33dd806a464a7fdee1b4203135b1fde132a3edc86bd3122ba83f4b993ac4fa

Download Submit
memory/1004-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1004-6-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1228-90-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1352-132-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1588-110-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1588-97-0x0000000000550000-0x00000000005B2000-memory.dmp

Filesize
392KB

Download
memory/1736-26-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1736-59-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1736-30-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1736-29-0x00000000004D0000-0x0000000000532000-memory.dmp

Filesize
392KB

Download
memory/1736-28-0x00000000004D0000-0x0000000000532000-memory.dmp

Filesize
392KB

Download
memory/1736-25-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1736-19-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1736-27-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1840-111-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2204-2-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2204-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x000000000045B000-0x0000000000465000-memory.dmp

Filesize
40KB

Download
memory/2268-77-0x00000000004D0000-0x0000000000532000-memory.dmp

Filesize
392KB

Download
memory/2268-88-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2268-136-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2316-94-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2400-32-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2400-31-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2556-129-0x00000000007F0000-0x0000000000852000-memory.dmp

Filesize
392KB

Download
memory/2556-135-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2580-56-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2736-116-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2748-131-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2948-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads