njrat | 6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

Resubmissions

09/02/2025, 17:26

250209-vzvbzaxpck 10

09/02/2025, 17:22

09/02/2025, 16:34

09/02/2025, 16:32

27/01/2025, 22:33

27/01/2025, 22:28

27/01/2025, 22:21

Analysis

max time kernel
7s
max time network
37s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27/01/2025, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Score

10^/10

njrat quasar vidar hacked office04 powerstealer prudabackend defense_evasion discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes

encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
install_name
update.exe
log_directory
Logs
reconnect_delay
2500
startup_key
Runtime Broker.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

powerstealer

192.168.56.1:4782

Mutex

6760d0e9-9df9-4aba-89be-4e5ce3e92cc8

Attributes

encryption_key
057FCAF700E62ACFECC7338C474084AF9B47ABEB
install_name
powerstealer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

vidar

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

100.108.37.105:4444

127.0.0.1:4444

Mutex

95a85978-c10d-4a09-935b-c02a2a18a609

Attributes

encryption_key
6FDAA03D192B9C03BF83E41A8BBF78996D321E27
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

127.0.0.1:5513

Mutex

67364a37f43593883a7b70eb2426799a

Attributes

reg_key
67364a37f43593883a7b70eb2426799a
splitter
|'|'|

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral4/files/0x00280000000461ad-41.dat	family_vidar_v7
behavioral4/memory/3948-47-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral4/memory/3472-62-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral4/files/0x00280000000461af-63.dat	family_vidar_v7
behavioral4/memory/3948-121-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral4/memory/3472-143-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral4/files/0x00290000000461a2-7.dat	family_quasar
behavioral4/memory/3676-20-0x0000000000860000-0x0000000000B84000-memory.dmp	family_quasar
behavioral4/files/0x00280000000461ac-25.dat	family_quasar
behavioral4/memory/4740-36-0x0000000000D80000-0x00000000010AA000-memory.dmp	family_quasar
behavioral4/files/0x00280000000461b6-72.dat	family_quasar
behavioral4/memory/4836-83-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral4/files/0x002a0000000461b9-97.dat	family_quasar
behavioral4/memory/1324-108-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Downloads MZ/PE file 5 IoCs

flow	pid	Process
24	4412	New Text Document.exe
24	4412	New Text Document.exe
35	4412	New Text Document.exe
7	4412	New Text Document.exe
31	4412	New Text Document.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5032	netsh.exe
3292	netsh.exe
2948	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Control Panel\International\Geo\Nation	New Text Document.exe

Executes dropped EXE 6 IoCs

pid	Process
3676	updater.exe
4740	Discord.exe
3948	noyjhoadw.exe
1200	update.exe
3472	build.exe
3372	powerstealer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noyjhoadw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1004	schtasks.exe
3716	schtasks.exe
2176	schtasks.exe
696	schtasks.exe
4868	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	New Text Document.exe
Token: SeDebugPrivilege	3676	updater.exe
Token: SeDebugPrivilege	4740	Discord.exe
Token: SeDebugPrivilege	1200	update.exe
Token: SeDebugPrivilege	3372	powerstealer.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 3676	4412	New Text Document.exe	86
PID 4412 wrote to memory of 3676	4412	New Text Document.exe	86
PID 4412 wrote to memory of 4740	4412	New Text Document.exe	87
PID 4412 wrote to memory of 4740	4412	New Text Document.exe	87
PID 4412 wrote to memory of 3948	4412	New Text Document.exe	88
PID 4412 wrote to memory of 3948	4412	New Text Document.exe	88
PID 4412 wrote to memory of 3948	4412	New Text Document.exe	88
PID 3676 wrote to memory of 2176	3676	updater.exe	89
PID 3676 wrote to memory of 2176	3676	updater.exe	89
PID 4740 wrote to memory of 696	4740	Discord.exe	91
PID 4740 wrote to memory of 696	4740	Discord.exe	91
PID 3676 wrote to memory of 1200	3676	updater.exe	93
PID 3676 wrote to memory of 1200	3676	updater.exe	93
PID 4412 wrote to memory of 3472	4412	New Text Document.exe	94
PID 4412 wrote to memory of 3472	4412	New Text Document.exe	94
PID 4412 wrote to memory of 3472	4412	New Text Document.exe	94
PID 4740 wrote to memory of 3372	4740	Discord.exe	95
PID 4740 wrote to memory of 3372	4740	Discord.exe	95
PID 1200 wrote to memory of 4868	1200	update.exe	96
PID 1200 wrote to memory of 4868	1200	update.exe	96
PID 3372 wrote to memory of 1004	3372	powerstealer.exe	98
PID 3372 wrote to memory of 1004	3372	powerstealer.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\a\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\a\updater.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2176
- - C:\Windows\system32\update.exe
    "C:\Windows\system32\update.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4868
- C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:696
- - C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1004
- C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\a\build.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\a\fag3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fag3.exe"
  2⤵
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\a\fag.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fag.exe"
  2⤵
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\a\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
  2⤵
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    PID:4648
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:5032
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Modifies Windows Firewall
      PID:3292
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2948
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB6ABD5C8B98473A20C12EFFB847B7E2

Filesize
345B

MD5
7edbce9b8d730aab97bad5fb0fd94c80

SHA1
7201189c4ed6f6c0395c6e72ab100633b8257a0c

SHA256
c8b0d844bd3624524a1f4682797bf3db7f96057707c038345f925abdcb719fae

SHA512
6dddab7ae53df794df1613befa618a5b76d00d170074741df7d6cda43b0dc47051b50673ba5454a2a30ce5be6f81f21f0a3d973e2a819c8f18d60394a23c26a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
cba5a0cfeafe17c05989456233887ecd

SHA1
bf76a34873539a80d48cbfac1c5021aa6fff7aa0

SHA256
d4484067b92db8a65b850bbc968ddc8593ce33d7b0ec9813b5275d34a5b1bb33

SHA512
f4db93b9710eea2b28343706ab0d0265b1b45b363544c93928e4dd24b5bfc7416c267fe408085ea7d4819690b8e2f7d4f86b3f1382b65571a97845a49c014777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB6ABD5C8B98473A20C12EFFB847B7E2

Filesize
540B

MD5
dbc6397e800da47d09e33ccf9185f9fb

SHA1
f6128a9086a895c84c5c3d249f5b5fda5a3771e1

SHA256
63a0528d86622356d71605b331ff1c3fbf49d475783e3f6fb0034094f5f24bca

SHA512
ed9af42bab8e4042fd3d19eb589ad0efeb38b96e079017c3614deaca28fd0c80ffd3c4c4114f76f0c466022c8f07b68edeb4553fbb890b53a40d1cae744c0212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
11c924dd7e95b6c1243d3dc6a6cda57d

SHA1
dc5becbb4ba7c94037c13de7163b541f4dfe0b7b

SHA256
18ebe71e164d362b1c0464dda0cb3269b2940c40abd588bde37d92c81263ba52

SHA512
dd021f43ce21d1fb35119fa9303b09281365ca676b6e944de844b397dd407cee9b17b740220bb09d024ffb6e1acf45d4c41ea4101e6cb011f7a1fa9cbf8e2432

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

Filesize
3.1MB

MD5
bedd5e5f44b78c79f93e29dc184cfa3d

SHA1
11e7e692b9a6b475f8561f283b2dd59c3cd19bfd

SHA256
e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c

SHA512
3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Server.exe

Filesize
93KB

MD5
a9ba2416df448c5f3b36581ecfa4cd31

SHA1
105592c84c83cbf4e6f7b6978ecb6d37c99440b7

SHA256
b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf

SHA512
456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build.exe

Filesize
119KB

MD5
08388bb4894c71e7b1be4bad966c3824

SHA1
7437ac98f08fc41283b900aa6fb0ae350d59dd6c

SHA256
986a98dc33a925fa232e1e5311807c7681cad9e0f07957d81e4f2f8257503f9c

SHA512
2adf5154e7dca7de1fcf12560c97f1b74e66fb3c5074d8fa9d29dd9da91a1314f9fc18270808c12364c4941a6a2346109824bd4c625df905f9be84af393934b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fag.exe

Filesize
3.1MB

MD5
814d032273cdbdc32dc6a232c108129f

SHA1
bd4b3bea0d543dd287fd952a5ae053f649f11fe4

SHA256
95e8911b88b45f18c2f415df69166ea5dadc1af3ee4ed79d42ca31dc812c4043

SHA512
1aca47dc3e839f192a0c51c396f1596f03a843c88883a6d4be02ce55647585d6a98e8ed215872661dbe412d9095eabf334fec5545a4a1dcf75a3ebe48dd2cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fag3.exe

Filesize
3.1MB

MD5
6b6cd0ace200ae15a3c40568bd516739

SHA1
c17c2dae1f9d4a3268f51ba9acf2095171408621

SHA256
9746060c7d36d8675945405b0c1928fb6bbcfe1bbac0f4c3247bd245ac6c4271

SHA512
4330446f193832bc3cdba0461df477ed7b27af44cce83daa7bf4c46afacee37b8e5ce7191573b23604efbeef66b2ed763adc156303e3e3927e1fc315ba22b1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe

Filesize
119KB

MD5
65cc23e7237f3cff2d206a269793772e

SHA1
fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd

SHA256
a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb

SHA512
7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tdis.exe

Filesize
1KB

MD5
1326c16a18441423830933fbb3a6a290

SHA1
d62b5f0ec9ae7a82209938c347311519b9fc1084

SHA256
3bb40456027c77d05b991e4686f10e51739a6ebdca3e33ec5edcd1e2c28b34cf

SHA512
2b9076d43ccc836c89bcd4cc1946008b1d0268edf432d37659960f4ffb9836ca65e638b61305f374ba71b2fa21ac3210482c0e6287288e75bcd44d4fbeb3e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\updater.exe

Filesize
3.1MB

MD5
c965446805dc5c40e1bffe859716bea7

SHA1
7d6b257f8f830f512552bd11b36bb1fc88a1e966

SHA256
874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

SHA512
157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
c60feebd511c87b86dea130692995a0f

SHA1
d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a

SHA256
632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511

SHA512
bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c

Download Submit
memory/1200-67-0x000000001C680000-0x000000001C732000-memory.dmp

Filesize
712KB

Download
memory/1200-117-0x000000001D180000-0x000000001D1BC000-memory.dmp

Filesize
240KB

Download
memory/1200-66-0x000000001B350000-0x000000001B3A0000-memory.dmp

Filesize
320KB

Download
memory/1200-113-0x000000001C5F0000-0x000000001C602000-memory.dmp

Filesize
72KB

Download
memory/1324-108-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/3472-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3472-143-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3676-51-0x00007FFE49C60000-0x00007FFE4A722000-memory.dmp

Filesize
10.8MB

Download
memory/3676-19-0x00007FFE49C60000-0x00007FFE4A722000-memory.dmp

Filesize
10.8MB

Download
memory/3676-20-0x0000000000860000-0x0000000000B84000-memory.dmp

Filesize
3.1MB

Download
memory/3676-33-0x00007FFE49C60000-0x00007FFE4A722000-memory.dmp

Filesize
10.8MB

Download
memory/3948-121-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3948-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4412-73-0x00007FFE49C63000-0x00007FFE49C65000-memory.dmp

Filesize
8KB

Download
memory/4412-84-0x00007FFE49C60000-0x00007FFE4A722000-memory.dmp

Filesize
10.8MB

Download
memory/4412-0-0x00007FFE49C63000-0x00007FFE49C65000-memory.dmp

Filesize
8KB

Download
memory/4412-2-0x00007FFE49C60000-0x00007FFE4A722000-memory.dmp

Filesize
10.8MB

Download
memory/4412-1-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/4740-36-0x0000000000D80000-0x00000000010AA000-memory.dmp

Filesize
3.2MB

Download
memory/4836-83-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads