quasar | 8739b236fb674c2c3516bc43ecf4b6583ea22ca0d4b2fe417b6223d654d52011

General

Target

SynapseX Revamped V1.5/SynapseXBootstrapper.exe
Size

3.1MB
MD5

9434a1822088cedbce057d280c235864
SHA1

c09173a18e5ae2d9d38bd4d3d196adf1423f924e
SHA256

de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336
SHA512

7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632
SSDEEP

49152:PvnI22SsaNYfdPBldt698dBcjHHeJ/uBx3ioGdyTHHB72eh2NT:PvI22SsaNYfdPBldt6+dBcjH4/X

Score

10^/10

quasar windows update spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

C2

skbidiooiilet-31205.portmap.host:31205

Mutex

b2f09b33-2e5b-4ffa-afbf-3f1aaed274a6

Attributes

encryption_key
6F721445F7E0B1CF58980D84A9D49F4458D4EFD9
install_name
Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
Windows Update

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4572-1-0x0000000000510000-0x0000000000834000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Update.exe

pid process

1820 Update.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1436 schtasks.exe
1876 schtasks.exe

pid	process
1820	Update.exe

pid	process
1436	schtasks.exe
1876	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

3772 msedge.exe
3772 msedge.exe
1276 msedge.exe
1276 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

1276 msedge.exe
1276 msedge.exe
1276 msedge.exe
1276 msedge.exe

pid	process
3772	msedge.exe
3772	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SynapseXBootstrapper.exeUpdate.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4572	SynapseXBootstrapper.exe
Token: SeDebugPrivilege	1820	Update.exe
Token: SeManageVolumePrivilege	3500	svchost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SynapseXBootstrapper.exeUpdate.exemsedge.exe

description	pid	process	target process
PID 4572 wrote to memory of 1436	4572	SynapseXBootstrapper.exe	schtasks.exe
PID 4572 wrote to memory of 1436	4572	SynapseXBootstrapper.exe	schtasks.exe
PID 4572 wrote to memory of 1820	4572	SynapseXBootstrapper.exe	Update.exe
PID 4572 wrote to memory of 1820	4572	SynapseXBootstrapper.exe	Update.exe
PID 1820 wrote to memory of 1876	1820	Update.exe	schtasks.exe
PID 1820 wrote to memory of 1876	1820	Update.exe	schtasks.exe
PID 1276 wrote to memory of 3704	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 3704	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 5008	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 3772	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 3772	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe
PID 1276 wrote to memory of 1740	1276	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1436

C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc00a046f8,0x7ffc00a04708,0x7ffc00a04718
2⤵
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14748075775162264916,1038877916641964821,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
2⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14748075775162264916,1038877916641964821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,14748075775162264916,1038877916641964821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
2⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14748075775162264916,1038877916641964821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
2⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14748075775162264916,1038877916641964821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14748075775162264916,1038877916641964821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
2⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14748075775162264916,1038877916641964821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
2⤵
PID:2636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9b85b701f3e75c8f91f74b0d7b2d2462

SHA1
baa01d7f212ea92603b705f16dadd66eb70ee40e

SHA256
f61ceddbbb3c89b96f0a1ce321fe9da83569a5914fcccd1dde848e438cc785be

SHA512
c42575271b0b30c29de60ac2d20bdba88dc2c01458d99ae4145bda3cf996a28e93b94778110a31a0c72dbde54f2ed41a99996cc41d26f1db36bd12ab36a9514b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34faf39f52444b4e50e7a8048928df14

SHA1
215ca9e3b64574d1f819ab238c2d8a288cc582f8

SHA256
474ee645c73c81d3e47ee9d35b5c0545fe096bd1c23e0b38d94f949bf513eb12

SHA512
a0aee18a1a2d14e538bafdf985fa6079e979428821c4130f393879a203b8de0a183134edd87d0b5b7512aa2dffed2f0e0173c42a1eee4e4ea4feb1063e77d3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
06a6cba93144cfe1d1ae1c09618ca59c

SHA1
4c9c2363490e24d8389e56808382b66889c92559

SHA256
53a2ccf1c570b466b9d7752be6043d9a11419a3c1b96c513f09e17108b894e12

SHA512
ec579a3d55326e99c1cc36712d128b2b3410269dc3b93e3dbd75d81eca72364e4107b55ee25f8e770e920dd88f8391ebb18129ee1766f49ba19c9af56f95f218

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe

Filesize
3.1MB

MD5
9434a1822088cedbce057d280c235864

SHA1
c09173a18e5ae2d9d38bd4d3d196adf1423f924e

SHA256
de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336

SHA512
7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632

Download Submit
\??\pipe\LOCAL\crashpad_1276_FNDTLZQXECTZHGNE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1820-11-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1820-14-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1820-13-0x000000001BBE0000-0x000000001BC92000-memory.dmp

Filesize
712KB

Download
memory/1820-12-0x000000001BAD0000-0x000000001BB20000-memory.dmp

Filesize
320KB

Download
memory/1820-10-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-53-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-64-0x00000244E6F20000-0x00000244E6F21000-memory.dmp

Filesize
4KB

Download
memory/3500-50-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-51-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-52-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-15-0x00000244DEC40000-0x00000244DEC50000-memory.dmp

Filesize
64KB

Download
memory/3500-54-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-55-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-56-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-57-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-59-0x00000244E6F20000-0x00000244E6F21000-memory.dmp

Filesize
4KB

Download
memory/3500-58-0x00000244E6F30000-0x00000244E6F31000-memory.dmp

Filesize
4KB

Download
memory/3500-61-0x00000244E6F30000-0x00000244E6F31000-memory.dmp

Filesize
4KB

Download
memory/3500-49-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-67-0x00000244E6E60000-0x00000244E6E61000-memory.dmp

Filesize
4KB

Download
memory/3500-79-0x00000244E7060000-0x00000244E7061000-memory.dmp

Filesize
4KB

Download
memory/3500-81-0x00000244E7070000-0x00000244E7071000-memory.dmp

Filesize
4KB

Download
memory/3500-82-0x00000244E7070000-0x00000244E7071000-memory.dmp

Filesize
4KB

Download
memory/3500-83-0x00000244E7180000-0x00000244E7181000-memory.dmp

Filesize
4KB

Download
memory/3500-48-0x00000244E7310000-0x00000244E7311000-memory.dmp

Filesize
4KB

Download
memory/3500-47-0x00000244E72E0000-0x00000244E72E1000-memory.dmp

Filesize
4KB

Download
memory/3500-31-0x00000244DED40000-0x00000244DED50000-memory.dmp

Filesize
64KB

Download
memory/4572-0-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp

Filesize
8KB

Download
memory/4572-9-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-2-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-1-0x0000000000510000-0x0000000000834000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads