quasar | hxxp://91[.]92[.]249[.]238/

General

Target

http://91.92.249.238/

Score

10^/10

quasar crazyrdp spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

crazyrdp

C2

91.92.249.238:4789

Mutex

QSR_MUTEX_XruzuSocGeJYPIQ4EA

Attributes

encryption_key
9J7nta72xxingqa2stut
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4392-4-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

101 ip-api.com

flow	ioc
101	ip-api.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

dmskqmkd.exedmskqmkd.exedmskqmkd.exedmskqmkd.exedmskqmkd.exe

description	pid	process	target process
PID 3244 set thread context of 4392	3244	dmskqmkd.exe	vbc.exe
PID 732 set thread context of 3732	732	dmskqmkd.exe	vbc.exe
PID 3812 set thread context of 4740	3812	dmskqmkd.exe	vbc.exe
PID 5752 set thread context of 5776	5752	dmskqmkd.exe	vbc.exe
PID 5772 set thread context of 5792	5772	dmskqmkd.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3236 schtasks.exe
4740 schtasks.exe
5312 schtasks.exe
5928 schtasks.exe
5800 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 4392 vbc.exe

pid	process
3236	schtasks.exe
4740	schtasks.exe
5312	schtasks.exe
5928	schtasks.exe
5800	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4392	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dmskqmkd.execmd.exedmskqmkd.execmd.exedmskqmkd.execmd.exedmskqmkd.exe

description	pid	process	target process
PID 3244 wrote to memory of 4392	3244	dmskqmkd.exe	vbc.exe
PID 3244 wrote to memory of 4392	3244	dmskqmkd.exe	vbc.exe
PID 3244 wrote to memory of 4392	3244	dmskqmkd.exe	vbc.exe
PID 3244 wrote to memory of 4392	3244	dmskqmkd.exe	vbc.exe
PID 3244 wrote to memory of 4392	3244	dmskqmkd.exe	vbc.exe
PID 3244 wrote to memory of 4392	3244	dmskqmkd.exe	vbc.exe
PID 3244 wrote to memory of 4392	3244	dmskqmkd.exe	vbc.exe
PID 3244 wrote to memory of 4392	3244	dmskqmkd.exe	vbc.exe
PID 3244 wrote to memory of 692	3244	dmskqmkd.exe	cmd.exe
PID 3244 wrote to memory of 692	3244	dmskqmkd.exe	cmd.exe
PID 3244 wrote to memory of 692	3244	dmskqmkd.exe	cmd.exe
PID 3244 wrote to memory of 2608	3244	dmskqmkd.exe	cmd.exe
PID 3244 wrote to memory of 2608	3244	dmskqmkd.exe	cmd.exe
PID 3244 wrote to memory of 2608	3244	dmskqmkd.exe	cmd.exe
PID 3244 wrote to memory of 5080	3244	dmskqmkd.exe	cmd.exe
PID 3244 wrote to memory of 5080	3244	dmskqmkd.exe	cmd.exe
PID 3244 wrote to memory of 5080	3244	dmskqmkd.exe	cmd.exe
PID 2608 wrote to memory of 3236	2608	cmd.exe	schtasks.exe
PID 2608 wrote to memory of 3236	2608	cmd.exe	schtasks.exe
PID 2608 wrote to memory of 3236	2608	cmd.exe	schtasks.exe
PID 732 wrote to memory of 3732	732	dmskqmkd.exe	vbc.exe
PID 732 wrote to memory of 3732	732	dmskqmkd.exe	vbc.exe
PID 732 wrote to memory of 3732	732	dmskqmkd.exe	vbc.exe
PID 732 wrote to memory of 3732	732	dmskqmkd.exe	vbc.exe
PID 732 wrote to memory of 3732	732	dmskqmkd.exe	vbc.exe
PID 732 wrote to memory of 3732	732	dmskqmkd.exe	vbc.exe
PID 732 wrote to memory of 3732	732	dmskqmkd.exe	vbc.exe
PID 732 wrote to memory of 3732	732	dmskqmkd.exe	vbc.exe
PID 732 wrote to memory of 2368	732	dmskqmkd.exe	cmd.exe
PID 732 wrote to memory of 2368	732	dmskqmkd.exe	cmd.exe
PID 732 wrote to memory of 2368	732	dmskqmkd.exe	cmd.exe
PID 732 wrote to memory of 3340	732	dmskqmkd.exe	cmd.exe
PID 732 wrote to memory of 3340	732	dmskqmkd.exe	cmd.exe
PID 732 wrote to memory of 3340	732	dmskqmkd.exe	cmd.exe
PID 732 wrote to memory of 2276	732	dmskqmkd.exe	cmd.exe
PID 732 wrote to memory of 2276	732	dmskqmkd.exe	cmd.exe
PID 732 wrote to memory of 2276	732	dmskqmkd.exe	cmd.exe
PID 3340 wrote to memory of 4740	3340	cmd.exe	vbc.exe
PID 3340 wrote to memory of 4740	3340	cmd.exe	vbc.exe
PID 3340 wrote to memory of 4740	3340	cmd.exe	vbc.exe
PID 3812 wrote to memory of 4740	3812	dmskqmkd.exe	vbc.exe
PID 3812 wrote to memory of 4740	3812	dmskqmkd.exe	vbc.exe
PID 3812 wrote to memory of 4740	3812	dmskqmkd.exe	vbc.exe
PID 3812 wrote to memory of 4740	3812	dmskqmkd.exe	vbc.exe
PID 3812 wrote to memory of 4740	3812	dmskqmkd.exe	vbc.exe
PID 3812 wrote to memory of 4740	3812	dmskqmkd.exe	vbc.exe
PID 3812 wrote to memory of 4740	3812	dmskqmkd.exe	vbc.exe
PID 3812 wrote to memory of 4740	3812	dmskqmkd.exe	vbc.exe
PID 3812 wrote to memory of 5132	3812	dmskqmkd.exe	cmd.exe
PID 3812 wrote to memory of 5132	3812	dmskqmkd.exe	cmd.exe
PID 3812 wrote to memory of 5132	3812	dmskqmkd.exe	cmd.exe
PID 3812 wrote to memory of 5140	3812	dmskqmkd.exe	cmd.exe
PID 3812 wrote to memory of 5140	3812	dmskqmkd.exe	cmd.exe
PID 3812 wrote to memory of 5140	3812	dmskqmkd.exe	cmd.exe
PID 3812 wrote to memory of 5148	3812	dmskqmkd.exe	cmd.exe
PID 3812 wrote to memory of 5148	3812	dmskqmkd.exe	cmd.exe
PID 3812 wrote to memory of 5148	3812	dmskqmkd.exe	cmd.exe
PID 5140 wrote to memory of 5312	5140	cmd.exe	schtasks.exe
PID 5140 wrote to memory of 5312	5140	cmd.exe	schtasks.exe
PID 5140 wrote to memory of 5312	5140	cmd.exe	schtasks.exe
PID 5752 wrote to memory of 5776	5752	dmskqmkd.exe	vbc.exe
PID 5752 wrote to memory of 5776	5752	dmskqmkd.exe	vbc.exe
PID 5752 wrote to memory of 5776	5752	dmskqmkd.exe	vbc.exe
PID 5752 wrote to memory of 5776	5752	dmskqmkd.exe	vbc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://91.92.249.238/
1⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3980,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4680 /prefetch:1
1⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3492,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:1
1⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5380,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:1
1⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5548,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8
1⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5560,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5744 /prefetch:8
1⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6028,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:1
1⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:8
1⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6540,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:8
1⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6220,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:1
1⤵
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6972,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6960 /prefetch:8
1⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7084,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6828 /prefetch:8
1⤵
PID:3724

C:\Users\Admin\Downloads\dmskqmkd.exe
"C:\Users\Admin\Downloads\dmskqmkd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\file"
2⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3236

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\dmskqmkd.exe" "C:\Users\Admin\AppData\Roaming\file\file.exe"
2⤵
PID:5080

C:\Users\Admin\Downloads\dmskqmkd.exe
"C:\Users\Admin\Downloads\dmskqmkd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\file"
2⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\dmskqmkd.exe" "C:\Users\Admin\AppData\Roaming\file\file.exe"
2⤵
PID:2276

C:\Users\Admin\Downloads\dmskqmkd.exe
"C:\Users\Admin\Downloads\dmskqmkd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\file"
2⤵
PID:5132

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5140

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5312

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\dmskqmkd.exe" "C:\Users\Admin\AppData\Roaming\file\file.exe"
2⤵
PID:5148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5556

C:\Users\Admin\Downloads\dmskqmkd.exe
"C:\Users\Admin\Downloads\dmskqmkd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:5776

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\file"
2⤵
PID:5788

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
2⤵
PID:5804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5928

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\dmskqmkd.exe" "C:\Users\Admin\AppData\Roaming\file\file.exe"
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6340,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:8
1⤵
PID:5988

C:\Users\Admin\Downloads\dmskqmkd.exe
"C:\Users\Admin\Downloads\dmskqmkd.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:5792

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\file"
2⤵
PID:5940

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
2⤵
PID:5852

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\file\file.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5800

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\dmskqmkd.exe" "C:\Users\Admin\AppData\Roaming\file\file.exe"
2⤵
PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dmskqmkd.exe.log

Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
701B

MD5
5de8527438c860bfa3140dc420a03e52

SHA1
235af682986b3292f20d8d71a8671353f5d6e16d

SHA256
d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92

SHA512
77c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8

Download Submit
C:\Users\Admin\AppData\Roaming\file\file.exe

Filesize
30.0MB

MD5
1d05f1d0da2b9448a4ae7f6870070991

SHA1
11d6dd496b3981418c2274107697fdab994e6ef9

SHA256
02fa0d1505796fd72fc0c0b2c618e3242be93c47e6a40a78b6160fa5d50543b3

SHA512
fdb589eb92e7ce1c74503b75d104f7df1ae0d291e9e08026fdfc433104025277e31e4a3725c96e806b6b6277b668837c9c9b46a797b1bead5e8af158297a5475

Download Submit
memory/3244-0-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/3244-1-0x0000000000790000-0x00000000007FA000-memory.dmp

Filesize
424KB

Download
memory/3244-3-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/3244-2-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3244-8-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-9-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-7-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/4392-14-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/4392-6-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-19-0x00000000064D0000-0x00000000064E2000-memory.dmp

Filesize
72KB

Download
memory/4392-24-0x0000000006910000-0x000000000694C000-memory.dmp

Filesize
240KB

Download
memory/4392-25-0x0000000007050000-0x000000000705A000-memory.dmp

Filesize
40KB

Download
memory/4392-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4392-31-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-32-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads