quasar | 62ae14d3dd02e1b12d50084d22ca02ada727f525de08f77ed932deb7d1db7f01

General

Target

CATALOGUE2024.GBLTD.exe
Size

1.1MB
MD5

d276007d99a3f3aa1f0c9d85857f580b
SHA1

d2a920b76ceb676c5cced1504bea5056824c942d
SHA256

4b32b987a1815005b4cce599f2691cf7600433da1886a3e4d79fa80ac85df8d7
SHA512

ba1fb1e882c3d4f86d2cb02fe2b7883de1b47bb16fb9e3e418d36a77f8d1e87fb13a4df2557db909ee0b4896f38fda0026ca8002d19c1b26e89c090bec906639
SSDEEP

24576:peq3eRCl8rvXzpmsCraU8hgHjUBE5zxLv0SPuvi3lnQUpxLJY:IRCirbjU8hgDU6CWoiWixO

Score

10^/10

quasar venomrat shanjqhandohdbt4 discovery evasion execution rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

ShanjQhandohDBT4

C2

127.0.0.1:4782

Mutex

VNM_MUTEX_TsedL3VlE1RYgzxmD0

Attributes

encryption_key
n36uZkPlhyNINnnTiI80
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Corporation
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2364-24-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2364-23-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2364-20-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2364-25-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2364-18-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

MSBuild.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	MSBuild.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	MSBuild.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	MSBuild.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	MSBuild.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2364-24-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2364-23-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2364-20-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2364-25-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2364-18-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2712 powershell.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

904 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1400 Client.exe
Loads dropped DLL 1 IoCs

Processes:

MSBuild.exe

pid process

2364 MSBuild.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

CATALOGUE2024.GBLTD.exe

description pid process target process

PID 2120 set thread context of 2364 2120 CATALOGUE2024.GBLTD.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2712	powershell.exe

pid	process
904	cmd.exe

pid	process
1400	Client.exe

pid	process
2364	MSBuild.exe

flow	ioc
2	ip-api.com

description	pid	process	target process
PID 2120 set thread context of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CATALOGUE2024.GBLTD.exeClient.exepowershell.execmd.exePING.EXEpowershell.exeMSBuild.execmd.exechcp.comMSBuild.exeschtasks.exeschtasks.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CATALOGUE2024.GBLTD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

968 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

968 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2340 schtasks.exe
2512 schtasks.exe

pid	process
968	PING.EXE

pid	process
968	PING.EXE

pid	process
2340	schtasks.exe
2512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

CATALOGUE2024.GBLTD.exepowershell.exepowershell.exeMSBuild.exe

pid	process
2120	CATALOGUE2024.GBLTD.exe
2120	CATALOGUE2024.GBLTD.exe
2712	powershell.exe
832	powershell.exe
2364	MSBuild.exe
2364	MSBuild.exe
2364	MSBuild.exe
2364	MSBuild.exe
2364	MSBuild.exe
2364	MSBuild.exe
2364	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CATALOGUE2024.GBLTD.exepowershell.exeMSBuild.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2120	CATALOGUE2024.GBLTD.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2364	MSBuild.exe
Token: SeDebugPrivilege	832	powershell.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

CATALOGUE2024.GBLTD.exeMSBuild.execmd.execmd.exe

description	pid	process	target process
PID 2120 wrote to memory of 2712	2120	CATALOGUE2024.GBLTD.exe	powershell.exe
PID 2120 wrote to memory of 2712	2120	CATALOGUE2024.GBLTD.exe	powershell.exe
PID 2120 wrote to memory of 2712	2120	CATALOGUE2024.GBLTD.exe	powershell.exe
PID 2120 wrote to memory of 2712	2120	CATALOGUE2024.GBLTD.exe	powershell.exe
PID 2120 wrote to memory of 2340	2120	CATALOGUE2024.GBLTD.exe	schtasks.exe
PID 2120 wrote to memory of 2340	2120	CATALOGUE2024.GBLTD.exe	schtasks.exe
PID 2120 wrote to memory of 2340	2120	CATALOGUE2024.GBLTD.exe	schtasks.exe
PID 2120 wrote to memory of 2340	2120	CATALOGUE2024.GBLTD.exe	schtasks.exe
PID 2120 wrote to memory of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe
PID 2120 wrote to memory of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe
PID 2120 wrote to memory of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe
PID 2120 wrote to memory of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe
PID 2120 wrote to memory of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe
PID 2120 wrote to memory of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe
PID 2120 wrote to memory of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe
PID 2120 wrote to memory of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe
PID 2120 wrote to memory of 2364	2120	CATALOGUE2024.GBLTD.exe	MSBuild.exe
PID 2364 wrote to memory of 2512	2364	MSBuild.exe	schtasks.exe
PID 2364 wrote to memory of 2512	2364	MSBuild.exe	schtasks.exe
PID 2364 wrote to memory of 2512	2364	MSBuild.exe	schtasks.exe
PID 2364 wrote to memory of 2512	2364	MSBuild.exe	schtasks.exe
PID 2364 wrote to memory of 1400	2364	MSBuild.exe	Client.exe
PID 2364 wrote to memory of 1400	2364	MSBuild.exe	Client.exe
PID 2364 wrote to memory of 1400	2364	MSBuild.exe	Client.exe
PID 2364 wrote to memory of 1400	2364	MSBuild.exe	Client.exe
PID 2364 wrote to memory of 832	2364	MSBuild.exe	powershell.exe
PID 2364 wrote to memory of 832	2364	MSBuild.exe	powershell.exe
PID 2364 wrote to memory of 832	2364	MSBuild.exe	powershell.exe
PID 2364 wrote to memory of 832	2364	MSBuild.exe	powershell.exe
PID 2364 wrote to memory of 2128	2364	MSBuild.exe	cmd.exe
PID 2364 wrote to memory of 2128	2364	MSBuild.exe	cmd.exe
PID 2364 wrote to memory of 2128	2364	MSBuild.exe	cmd.exe
PID 2364 wrote to memory of 2128	2364	MSBuild.exe	cmd.exe
PID 2128 wrote to memory of 904	2128	cmd.exe	cmd.exe
PID 2128 wrote to memory of 904	2128	cmd.exe	cmd.exe
PID 2128 wrote to memory of 904	2128	cmd.exe	cmd.exe
PID 2128 wrote to memory of 904	2128	cmd.exe	cmd.exe
PID 2364 wrote to memory of 1820	2364	MSBuild.exe	cmd.exe
PID 2364 wrote to memory of 1820	2364	MSBuild.exe	cmd.exe
PID 2364 wrote to memory of 1820	2364	MSBuild.exe	cmd.exe
PID 2364 wrote to memory of 1820	2364	MSBuild.exe	cmd.exe
PID 1820 wrote to memory of 708	1820	cmd.exe	chcp.com
PID 1820 wrote to memory of 708	1820	cmd.exe	chcp.com
PID 1820 wrote to memory of 708	1820	cmd.exe	chcp.com
PID 1820 wrote to memory of 708	1820	cmd.exe	chcp.com
PID 1820 wrote to memory of 968	1820	cmd.exe	PING.EXE
PID 1820 wrote to memory of 968	1820	cmd.exe	PING.EXE
PID 1820 wrote to memory of 968	1820	cmd.exe	PING.EXE
PID 1820 wrote to memory of 968	1820	cmd.exe	PING.EXE
PID 1820 wrote to memory of 1048	1820	cmd.exe	MSBuild.exe
PID 1820 wrote to memory of 1048	1820	cmd.exe	MSBuild.exe
PID 1820 wrote to memory of 1048	1820	cmd.exe	MSBuild.exe
PID 1820 wrote to memory of 1048	1820	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\CATALOGUE2024.GBLTD.exe
"C:\Users\Admin\AppData\Local\Temp\CATALOGUE2024.GBLTD.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JxgqJBqcy.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JxgqJBqcy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF74.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Microsoft Corporation" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2512
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1400
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\MK26JioqKKAP.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:708
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:968
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab2925.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MK26JioqKKAP.bat

Filesize
216B

MD5
c872074c9d4e1fb126be21746361f93d

SHA1
721852e464190a564c0e5bc0cb1676e95bf971c5

SHA256
366cd4beb02d043a20b0c1c0a5aa44d5859cd065914cd3976d85533c5c1f00e5

SHA512
6bf04ca8ac953861a3d2bc3dc2fb01e0eed6efabb6bb9cd7fde7fcbb7800add5d44de237d6f89c8683c2cfc4b3228a0723a69b190670297f237bc52d88cd32da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2937.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF74.tmp

Filesize
1KB

MD5
55d97fdc14fb4006bc7a4bad416c5945

SHA1
61b211f11fc569dc501a32daf6a2989cccf8f084

SHA256
78b6c3c6e953bb850b9f7cf761cc680fd78fdf54c724a89240580644f86b4d43

SHA512
c3bf92f35658661ab41b21d598a53cfb4cbd8dcbdb79eafefb0df98c1d5a5026e122c0b873ce45741a6ee05486c7c358776910a48644ef4db145887856569369

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b15c6a07f378a47ea7968a462f199fd6

SHA1
ddce8b2bb8c94cd78ec7b0c9f3496296e43bb9f8

SHA256
cf8c89534a2103317b0969c23085c2f5a9cfecc69ce3df27d61bbb639422955c

SHA512
8d5f175ebaeeb67d4b69a6fb5a615223498eb7a5ff8a2dcc01bb4ae5c3694a91a3a754670e900e26ad4970d66d5d646683c9f125eadd9890a9ba403bb42e4e73

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/1048-101-0x0000000000FC0000-0x0000000001000000-memory.dmp

Filesize
256KB

Download
memory/1400-34-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/2120-6-0x0000000007CF0000-0x0000000007DBE000-memory.dmp

Filesize
824KB

Download
memory/2120-26-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-1-0x0000000000BA0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2120-2-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-3-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2120-4-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2120-5-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2364-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2364-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2364-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2364-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2364-25-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2364-24-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2364-23-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2364-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads