vidar | 6ba3d50f87b4c2c81a8ab9247f2fafa6f4ec31d1f3acffbdb40a83ab351df9be

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2023, 11:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c4d8c8f396f66d9b556ab05344a8cd.exe
Size

93KB
MD5

90c4d8c8f396f66d9b556ab05344a8cd
SHA1

4869f0a7a3a68f4638556e9df0eef34ea0fdc9d7
SHA256

6ba3d50f87b4c2c81a8ab9247f2fafa6f4ec31d1f3acffbdb40a83ab351df9be
SHA512

4d5a61a89f6e003b92f093385bd56f5d798ac73c1cc524b261a3ff704d251ef1cb450177404651b072feab954c94f617a88bdb55620920ac620c2c115d6b960f
SSDEEP

1536:Irae78zjORCDGwfdCSog01313OQs5gcURDoq4OZZZLlCIibQwfclq8wJ:AahKyd2n31+Z5IRD68wbQbl4J

Score

10^/10

vidar 89433a6dbe159bb95b623839dcca3e27 persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

4.3

Botnet

89433a6dbe159bb95b623839dcca3e27

https://steamcommunity.com/profiles/76561199514261168

https://t.me/kamaprimo

Attributes

profile_id_v2
89433a6dbe159bb95b623839dcca3e27
user_agent
Mozilla/5.0 (Linux; U; Tizen 2.0; en-us) AppleWebKit/537.1 (KHTML, like Gecko) Mobile TizenBrowser/2.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 2 IoCs

pid	Process
2904	lieequipment.exe
4256	lieequipment0.exe

Loads dropped DLL 2 IoCs

pid	Process
4624	AppLaunch.exe
4624	AppLaunch.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	90c4d8c8f396f66d9b556ab05344a8cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	90c4d8c8f396f66d9b556ab05344a8cd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 4624	2904	lieequipment.exe	92

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe
4624	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	lieequipment.exe
Token: SeDebugPrivilege	4256	lieequipment0.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2904	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	84
PID 4232 wrote to memory of 2904	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	84
PID 4232 wrote to memory of 2904	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	84
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 2904 wrote to memory of 4624	2904	lieequipment.exe	92
PID 4232 wrote to memory of 4256	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	93
PID 4232 wrote to memory of 4256	4232	90c4d8c8f396f66d9b556ab05344a8cd.exe	93

C:\Users\Admin\AppData\Local\Temp\90c4d8c8f396f66d9b556ab05344a8cd.exe
"C:\Users\Admin\AppData\Local\Temp\90c4d8c8f396f66d9b556ab05344a8cd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4256

Network

DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

1.202.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.202.248.87.in-addr.arpa

IN PTR

Response

1.202.248.87.in-addr.arpa

IN PTR

https-87-248-202-1amsllnwnet
GET

http://5.42.64.15/fabric/Hnwjyh.wav

lieequipment.exe

Remote address:

5.42.64.15:80

Request

GET /fabric/Hnwjyh.wav HTTP/1.1
Host: 5.42.64.15
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 16 Jun 2023 11:16:13 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Thu, 15 Jun 2023 02:37:23 GMT
ETag: "106aac-5fe21f2bdf878"
Accept-Ranges: bytes
Content-Length: 1075884
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: audio/x-wav
DNS

15.64.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.64.42.5.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
GET

http://5.42.64.15/fabric/Uweyleq.dat

lieequipment0.exe

Remote address:

5.42.64.15:80

Request

GET /fabric/Uweyleq.dat HTTP/1.1
Host: 5.42.64.15
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 16 Jun 2023 11:16:58 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Thu, 15 Jun 2023 02:40:31 GMT
ETag: "1f1aac-5fe21fdf2f6e9"
Accept-Ranges: bytes
Content-Length: 2038444
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
DNS

t.me

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/kamaprimo

AppLaunch.exe

Remote address:

149.154.167.99:443

Request

GET /kamaprimo HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
Host: t.me

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 16 Jun 2023 11:16:59 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12372
Connection: keep-alive
Set-Cookie: stel_ssid=a27b258a349882fd78_11052526892246519052; expires=Sat, 17 Jun 2023 11:16:59 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
DNS

99.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.167.154.149.in-addr.arpa

IN PTR

Response
DNS

36.249.124.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.249.124.192.in-addr.arpa

IN PTR

Response

36.249.124.192.in-addr.arpa

IN PTR

cloudproxy10036sucurinet
GET

http://162.55.169.178:11022/89433a6dbe159bb95b623839dcca3e27

AppLaunch.exe

Remote address:

162.55.169.178:11022

Request

GET /89433a6dbe159bb95b623839dcca3e27 HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; U; Tizen 2.0; en-us) AppleWebKit/537.1 (KHTML, like Gecko) Mobile TizenBrowser/2.0
Host: 162.55.169.178:11022

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 16 Jun 2023 11:16:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://162.55.169.178:11022/update.zip

AppLaunch.exe

Remote address:

162.55.169.178:11022

Request

GET /update.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; U; Tizen 2.0; en-us) AppleWebKit/537.1 (KHTML, like Gecko) Mobile TizenBrowser/2.0
Host: 162.55.169.178:11022
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 16 Jun 2023 11:16:59 GMT
Content-Type: application/zip
Content-Length: 2685679
Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
Connection: keep-alive
ETag: "631f30d3-28faef"
Accept-Ranges: bytes
POST

http://162.55.169.178:11022/

AppLaunch.exe

Remote address:

162.55.169.178:11022

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----4331035716499099
User-Agent: Mozilla/5.0 (Linux; U; Tizen 2.0; en-us) AppleWebKit/537.1 (KHTML, like Gecko) Mobile TizenBrowser/2.0
Host: 162.55.169.178:11022
Content-Length: 3081
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 16 Jun 2023 11:17:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

178.169.55.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.169.55.162.in-addr.arpa

IN PTR

Response

178.169.55.162.in-addr.arpa

IN PTR

static17816955162clientsyour-serverde
DNS

86.8.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.8.109.52.in-addr.arpa

IN PTR

Response

5.42.64.15:80

http://5.42.64.15/fabric/Hnwjyh.wav

http

lieequipment.exe

19.5kB
1.1MB
423
835

HTTP Request

GET http://5.42.64.15/fabric/Hnwjyh.wav

HTTP Response

200
52.152.110.14:443

260 B
5
13.69.109.131:443

322 B
7
5.42.64.15:80

http://5.42.64.15/fabric/Uweyleq.dat

http

lieequipment0.exe

37.0kB
2.1MB
803
1578

HTTP Request

GET http://5.42.64.15/fabric/Uweyleq.dat

HTTP Response

200
149.154.167.99:443

https://t.me/kamaprimo

tls, http

AppLaunch.exe

1.5kB
19.5kB
24
20

HTTP Request

GET https://t.me/kamaprimo

HTTP Response

200
162.55.169.178:11022

http://162.55.169.178:11022/

http

AppLaunch.exe

98.6kB
2.8MB
1995
1983

HTTP Request

GET http://162.55.169.178:11022/89433a6dbe159bb95b623839dcca3e27

HTTP Response

200

HTTP Request

GET http://162.55.169.178:11022/update.zip

HTTP Response

200

HTTP Request

POST http://162.55.169.178:11022/

HTTP Response

200
52.152.110.14:443

260 B
5
13.107.4.50:80

322 B
7
13.107.4.50:80

322 B
7
52.152.110.14:443

260 B
5
173.223.113.164:443

322 B
7
52.152.110.14:443

260 B
5
23.55.97.181:80

322 B
7
204.79.197.203:80

322 B
7
52.152.110.14:443

260 B
5
52.152.110.14:443

260 B
5

8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

1.202.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.202.248.87.in-addr.arpa
8.8.8.8:53

15.64.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

15.64.42.5.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

t.me

dns

AppLaunch.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

99.167.154.149.in-addr.arpa

dns

73 B
166 B
1
1

DNS Request

99.167.154.149.in-addr.arpa
8.8.8.8:53

36.249.124.192.in-addr.arpa

dns

73 B
113 B
1
1

DNS Request

36.249.124.192.in-addr.arpa
8.8.8.8:53

178.169.55.162.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

178.169.55.162.in-addr.arpa
8.8.8.8:53

86.8.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.8.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment.exe

Filesize
16KB

MD5
1b50dfac3f2bfb78cdf4601b8e1b5c61

SHA1
63c08f6cbc2540e0dd31e6ca0e8d649f26abc57e

SHA256
18101e579338bca278f44f05e1fdb3e7efdd13bc426a37bba23b6217263ebfcb

SHA512
d3fda38fb10d5377c033c63a81a825a04906843e4e83f33162e9f495d17ffdd17355c173aa61c8358ad8094d433bfe633de9864f4918d287c8e9ab98393177f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment.exe

Filesize
16KB

MD5
1b50dfac3f2bfb78cdf4601b8e1b5c61

SHA1
63c08f6cbc2540e0dd31e6ca0e8d649f26abc57e

SHA256
18101e579338bca278f44f05e1fdb3e7efdd13bc426a37bba23b6217263ebfcb

SHA512
d3fda38fb10d5377c033c63a81a825a04906843e4e83f33162e9f495d17ffdd17355c173aa61c8358ad8094d433bfe633de9864f4918d287c8e9ab98393177f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment0.exe

Filesize
16KB

MD5
3fbb7eeb588e7f4dfb7226b4c9e3b4eb

SHA1
2741b26fbf15dd3966ccacc70f07abc5fc3787c0

SHA256
adb08edeb6ecb03217dfa385358ade3e984e40ecb379ef1e83cf5ceb133044d1

SHA512
f8d1e43649430758d05ec2e214939b1778dafe8f731974425d8710f4d1a4afbb341deedd3bb889340889a514acd62c83b8f8378bbbe235e864fb209d2db539d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lieequipment0.exe

Filesize
16KB

MD5
3fbb7eeb588e7f4dfb7226b4c9e3b4eb

SHA1
2741b26fbf15dd3966ccacc70f07abc5fc3787c0

SHA256
adb08edeb6ecb03217dfa385358ade3e984e40ecb379ef1e83cf5ceb133044d1

SHA512
f8d1e43649430758d05ec2e214939b1778dafe8f731974425d8710f4d1a4afbb341deedd3bb889340889a514acd62c83b8f8378bbbe235e864fb209d2db539d7

Download Submit
memory/2904-171-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-181-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-142-0x0000000006990000-0x0000000006F34000-memory.dmp

Filesize
5.6MB

Download
memory/2904-143-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/2904-144-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-145-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-147-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-149-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-151-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-153-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-155-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-157-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-159-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-161-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-163-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-165-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-167-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-169-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-140-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/2904-173-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-175-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-177-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-179-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-141-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/2904-183-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-185-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-187-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-189-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-191-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-193-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-195-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-197-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-199-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-201-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-203-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-205-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-207-0x00000000062F0000-0x00000000063B5000-memory.dmp

Filesize
788KB

Download
memory/2904-1066-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/2904-1067-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4256-1075-0x0000026E07180000-0x0000026E0718A000-memory.dmp

Filesize
40KB

Download
memory/4256-1085-0x0000026E21700000-0x0000026E21710000-memory.dmp

Filesize
64KB

Download
memory/4256-2079-0x0000026E08E70000-0x0000026E08E71000-memory.dmp

Filesize
4KB

Download
memory/4256-2080-0x0000026E21700000-0x0000026E21710000-memory.dmp

Filesize
64KB

Download
memory/4624-1076-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4624-1535-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.