quasar | 6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

Resubmissions

09/02/2025, 17:26

250209-vzvbzaxpck 10

09/02/2025, 17:22

09/02/2025, 16:34

09/02/2025, 16:32

27/01/2025, 22:33

27/01/2025, 22:28

27/01/2025, 22:21

Analysis

max time kernel
8s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Score

10^/10

quasar vidar office04 powerstealer prudabackend defense_evasion discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes

encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
install_name
update.exe
log_directory
Logs
reconnect_delay
2500
startup_key
Runtime Broker.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

powerstealer

192.168.56.1:4782

Mutex

6760d0e9-9df9-4aba-89be-4e5ce3e92cc8

Attributes

encryption_key
057FCAF700E62ACFECC7338C474084AF9B47ABEB
install_name
powerstealer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

vidar

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

100.108.37.105:4444

127.0.0.1:4444

Mutex

95a85978-c10d-4a09-935b-c02a2a18a609

Attributes

encryption_key
6FDAA03D192B9C03BF83E41A8BBF78996D321E27
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral3/files/0x000a000000023b7e-48.dat	family_vidar_v7
behavioral3/memory/2776-51-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/files/0x000a000000023b7f-65.dat	family_vidar_v7
behavioral3/memory/5060-67-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/2776-88-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/5060-124-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral3/files/0x000a000000023b79-7.dat	family_quasar
behavioral3/memory/4912-17-0x0000000000100000-0x0000000000424000-memory.dmp	family_quasar
behavioral3/files/0x000a000000023b7b-34.dat	family_quasar
behavioral3/memory/2824-41-0x0000000000070000-0x000000000039A000-memory.dmp	family_quasar
behavioral3/files/0x000a000000023b86-74.dat	family_quasar
behavioral3/memory/3120-83-0x0000000000540000-0x0000000000864000-memory.dmp	family_quasar
behavioral3/files/0x000a000000023b88-93.dat	family_quasar
behavioral3/memory/724-100-0x0000000000D90000-0x00000000010B4000-memory.dmp	family_quasar

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 5 IoCs

flow	pid	Process
22	2952	New Text Document.exe
22	2952	New Text Document.exe
41	2952	New Text Document.exe
9	2952	New Text Document.exe
36	2952	New Text Document.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5108	netsh.exe
4248	netsh.exe
1104	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	New Text Document.exe

Executes dropped EXE 6 IoCs

pid	Process
4912	updater.exe
4260	update.exe
2824	Discord.exe
2776	noyjhoadw.exe
4812	powerstealer.exe
5060	build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noyjhoadw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4484	schtasks.exe
544	schtasks.exe
2276	schtasks.exe
2628	schtasks.exe
3336	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	New Text Document.exe
Token: SeDebugPrivilege	4912	updater.exe
Token: SeDebugPrivilege	4260	update.exe
Token: SeDebugPrivilege	2824	Discord.exe
Token: SeDebugPrivilege	4812	powerstealer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4260	update.exe
4812	powerstealer.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 4912	2952	New Text Document.exe	83
PID 2952 wrote to memory of 4912	2952	New Text Document.exe	83
PID 4912 wrote to memory of 4484	4912	updater.exe	84
PID 4912 wrote to memory of 4484	4912	updater.exe	84
PID 4912 wrote to memory of 4260	4912	updater.exe	86
PID 4912 wrote to memory of 4260	4912	updater.exe	86
PID 4260 wrote to memory of 544	4260	update.exe	87
PID 4260 wrote to memory of 544	4260	update.exe	87
PID 2952 wrote to memory of 2824	2952	New Text Document.exe	89
PID 2952 wrote to memory of 2824	2952	New Text Document.exe	89
PID 2952 wrote to memory of 2776	2952	New Text Document.exe	93
PID 2952 wrote to memory of 2776	2952	New Text Document.exe	93
PID 2952 wrote to memory of 2776	2952	New Text Document.exe	93
PID 2824 wrote to memory of 2276	2824	Discord.exe	94
PID 2824 wrote to memory of 2276	2824	Discord.exe	94
PID 2824 wrote to memory of 4812	2824	Discord.exe	96
PID 2824 wrote to memory of 4812	2824	Discord.exe	96
PID 2952 wrote to memory of 5060	2952	New Text Document.exe	98
PID 2952 wrote to memory of 5060	2952	New Text Document.exe	98
PID 2952 wrote to memory of 5060	2952	New Text Document.exe	98
PID 4812 wrote to memory of 2628	4812	powerstealer.exe	99
PID 4812 wrote to memory of 2628	4812	powerstealer.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\a\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\a\updater.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4484
- - C:\Windows\system32\update.exe
    "C:\Windows\system32\update.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:544
- C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2276
- - C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2628
- C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\a\build.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\a\fag3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fag3.exe"
  2⤵
  PID:3120
- C:\Users\Admin\AppData\Local\Temp\a\fag.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fag.exe"
  2⤵
  PID:724
- C:\Users\Admin\AppData\Local\Temp\a\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    PID:4384
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:5108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Modifies Windows Firewall
      PID:4248
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1104
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB6ABD5C8B98473A20C12EFFB847B7E2

Filesize
345B

MD5
7edbce9b8d730aab97bad5fb0fd94c80

SHA1
7201189c4ed6f6c0395c6e72ab100633b8257a0c

SHA256
c8b0d844bd3624524a1f4682797bf3db7f96057707c038345f925abdcb719fae

SHA512
6dddab7ae53df794df1613befa618a5b76d00d170074741df7d6cda43b0dc47051b50673ba5454a2a30ce5be6f81f21f0a3d973e2a819c8f18d60394a23c26a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
ec46cede641b894dfe8610eef39e6f66

SHA1
f0b33b0bef748c35f195f01127a9f74310ad8925

SHA256
ef6ed430e1ca65d06684261048dec1ec0e8842f7fbba9ec93801680c44f6c086

SHA512
5ae023175de92d187e84f523a3a641b69dc83b4dc47dbf35ee2f8eafee86ed8c5dbf8f0160a7e6353b1a4b9defefbe0280d4ba2f679d1f930135f808792a0195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB6ABD5C8B98473A20C12EFFB847B7E2

Filesize
540B

MD5
76168c0952475aa6999031c4e6a56db0

SHA1
896ae15fbd689ab86e434706136610e90f2079a6

SHA256
8670b217bcb08960de999990263768aabf183b39750290b872cbc8c84898245c

SHA512
742fce19f8e7f374f6269c0cebdb96e33cce10ac717b0a7a80ab7c39f44ad740af3ac711e6296628d96a4b335d81f18cfa52bc0a359655a2ad758fb048897760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

Filesize
3.1MB

MD5
bedd5e5f44b78c79f93e29dc184cfa3d

SHA1
11e7e692b9a6b475f8561f283b2dd59c3cd19bfd

SHA256
e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c

SHA512
3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Server.exe

Filesize
93KB

MD5
a9ba2416df448c5f3b36581ecfa4cd31

SHA1
105592c84c83cbf4e6f7b6978ecb6d37c99440b7

SHA256
b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf

SHA512
456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build.exe

Filesize
119KB

MD5
08388bb4894c71e7b1be4bad966c3824

SHA1
7437ac98f08fc41283b900aa6fb0ae350d59dd6c

SHA256
986a98dc33a925fa232e1e5311807c7681cad9e0f07957d81e4f2f8257503f9c

SHA512
2adf5154e7dca7de1fcf12560c97f1b74e66fb3c5074d8fa9d29dd9da91a1314f9fc18270808c12364c4941a6a2346109824bd4c625df905f9be84af393934b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fag.exe

Filesize
3.1MB

MD5
814d032273cdbdc32dc6a232c108129f

SHA1
bd4b3bea0d543dd287fd952a5ae053f649f11fe4

SHA256
95e8911b88b45f18c2f415df69166ea5dadc1af3ee4ed79d42ca31dc812c4043

SHA512
1aca47dc3e839f192a0c51c396f1596f03a843c88883a6d4be02ce55647585d6a98e8ed215872661dbe412d9095eabf334fec5545a4a1dcf75a3ebe48dd2cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fag3.exe

Filesize
3.1MB

MD5
6b6cd0ace200ae15a3c40568bd516739

SHA1
c17c2dae1f9d4a3268f51ba9acf2095171408621

SHA256
9746060c7d36d8675945405b0c1928fb6bbcfe1bbac0f4c3247bd245ac6c4271

SHA512
4330446f193832bc3cdba0461df477ed7b27af44cce83daa7bf4c46afacee37b8e5ce7191573b23604efbeef66b2ed763adc156303e3e3927e1fc315ba22b1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe

Filesize
119KB

MD5
65cc23e7237f3cff2d206a269793772e

SHA1
fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd

SHA256
a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb

SHA512
7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tdis.exe

Filesize
1KB

MD5
1326c16a18441423830933fbb3a6a290

SHA1
d62b5f0ec9ae7a82209938c347311519b9fc1084

SHA256
3bb40456027c77d05b991e4686f10e51739a6ebdca3e33ec5edcd1e2c28b34cf

SHA512
2b9076d43ccc836c89bcd4cc1946008b1d0268edf432d37659960f4ffb9836ca65e638b61305f374ba71b2fa21ac3210482c0e6287288e75bcd44d4fbeb3e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\updater.exe

Filesize
3.1MB

MD5
c965446805dc5c40e1bffe859716bea7

SHA1
7d6b257f8f830f512552bd11b36bb1fc88a1e966

SHA256
874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

SHA512
157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
c60feebd511c87b86dea130692995a0f

SHA1
d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a

SHA256
632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511

SHA512
bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c

Download Submit
memory/724-100-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/2776-51-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2776-88-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2824-41-0x0000000000070000-0x000000000039A000-memory.dmp

Filesize
3.2MB

Download
memory/2952-69-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

Filesize
10.8MB

Download
memory/2952-66-0x00007FFF96933000-0x00007FFF96935000-memory.dmp

Filesize
8KB

Download
memory/2952-1-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/2952-0-0x00007FFF96933000-0x00007FFF96935000-memory.dmp

Filesize
8KB

Download
memory/2952-2-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

Filesize
10.8MB

Download
memory/3120-83-0x0000000000540000-0x0000000000864000-memory.dmp

Filesize
3.1MB

Download
memory/4260-42-0x000000001BBF0000-0x000000001BC02000-memory.dmp

Filesize
72KB

Download
memory/4260-43-0x000000001C670000-0x000000001C6AC000-memory.dmp

Filesize
240KB

Download
memory/4260-27-0x000000001BC70000-0x000000001BD22000-memory.dmp

Filesize
712KB

Download
memory/4260-26-0x000000001BB60000-0x000000001BBB0000-memory.dmp

Filesize
320KB

Download
memory/4912-18-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

Filesize
10.8MB

Download
memory/4912-17-0x0000000000100000-0x0000000000424000-memory.dmp

Filesize
3.1MB

Download
memory/4912-16-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

Filesize
10.8MB

Download
memory/4912-25-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

Filesize
10.8MB

Download
memory/5060-124-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5060-67-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads