qakbot | 30bef9a5f75a235e9823beb54267c1bb7faacc9e067bcb4bea367df702ce997e

General

Target

01970422_890527.lnk
Size

1KB
MD5

76390978f26d3c6d7f799257542796ce
SHA1

4d3efb8f9db9519160fe13f79ef5be1c041eed0e
SHA256

03160be7cb698e1684f47071cb441ff181ff299cb38429636d11542ba8d306ae
SHA512

8c6243c7a93974dbf1a6878fbb2ad89861a4b960fb5262ba6c0e6274f78fcf93c90e80d1f007b9a6e3deafd53969fffb8f2e66adfd0e10c19fe7f65e4c597779

Score

10^/10

qakbot obama186 1654596660 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.694

Botnet

obama186

Campaign

1654596660

C2

67.165.206.193:993

63.143.92.99:995

74.14.5.179:2222

182.191.92.203:995

197.89.8.51:443

89.101.97.139:443

86.97.9.190:443

124.40.244.115:2222

80.11.74.81:2222

41.215.153.104:995

179.100.20.32:32101

31.35.28.29:443

202.134.152.2:2222

109.12.111.14:443

93.48.80.198:995

120.150.218.241:995

41.38.167.179:995

177.94.57.126:32101

173.174.216.62:443

1.161.101.20:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ykdlydtcqpai = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Lqujhkuaxe = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1396 regsvr32.exe

pid	process
1396	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

572 schtasks.exe

pid	process
572	schtasks.exe

Modifies data under HKEY_USERS 36 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5A60E6E-431F-49A8-ABBE-FCEBF9C8730A}\WpadDecisionReason = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5A60E6E-431F-49A8-ABBE-FCEBF9C8730A}\WpadNetworkName = "Network 3"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-80-09-db-74-65	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-80-09-db-74-65\WpadDecisionReason = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5A60E6E-431F-49A8-ABBE-FCEBF9C8730A}\WpadDecisionTime = 30977af91db3d801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\9a61166e = a33369b0eed6c218dd93d74c2968acee3f4648f8f9d679bc6eec14076558a99674080d2a086a28b1	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hixabdlwuopiy	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\680bceb3 = bde541b7f563d4210cd02e99b0cea93db9408f05e02c2fc3da0628ad0d7e2bc2d9b13c8d7ad86d64614c3500e03bb831924560269563d99f	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\680bceb3 = bde556b7f563e11424f1306d45e87736b0e28e14a1df086ec9d1dba47c00b411060c5f613ecbe38cb761974f737a52fa6dc9d2e7a9c002bca7c40eda05cb2ef59dcfece65b3f39905568cdedd8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\e76959e4 = 0d4e02bf11be4d2e4c85f5ec9dce3663883b82078434aeb1a0a8a95346b9ace46c0cbf2e12b2493e0bc24755508863cfcc2e48f736fd10da6a6ab635fe9772ba71f6f2d46a5b4c9942adbbd58c9b099676878cb67da07746933991132589b6cd8d91e92825d154	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5A60E6E-431F-49A8-ABBE-FCEBF9C8730A}\ca-80-09-db-74-65	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\5d941efd = 4759bed06932dfeb8c8bc59e4d42e7602a175aa4ae5e4bfcda7c1c9a521ec7431fd821e6fb98bf2d3aff174f4cac2f09a6c29a1abc7674325bed318b95a4349fd9f5a120b6bbbbd5939d1876e973a6a92e55336f4f289d07bf157518b25f0d655b3529e0dff7d4259dd946af36e9bdccfd68	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\1742a145 = d45d1124ae90269a32f299bb2e6eb18658729e6c62294d8c61f308056c9db973448cd9bfe46cae44e3c69025850a70ea5ed179e1fea7246c97	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\680bceb3 = bde556b7f563e11424f1306d45e87736b0e28e14a1df086ecbd0d8a47c00b411060c5f613ecbe38cb761974f737a52fa6dc9d2e7a9c002bca7c40eda05cb2ef59dcfece65b3f39905568cdedd8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\680bceb3 = bde55fb7f563e11424f1312740e37d34b2e78a14edd40065c8dfd9924429960cb7fe70bb04f769a1be989a460b6382a95391c4a940035a2067b350a05fc725e7b8c8f0cf4d163b1978f23e2f8d9d755b6de2f2e0ba95	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0092000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\22dd710b = f2614ac97854cddb1cf626ed1c942eaf76df5888dfef8747f68f5a418c703123cc6739b20c93f68e422389eacd41aa41527cf317aac5ebf9d32f045b4cfb2911ef0f3a56617668b68c524da1bf2106877646c4b646a1765233f1c8d8aec7b5b86459e5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\e5287998 = eb3a4ad382b48b1529a22a955018bec7118ecc96c0702871a4cbd88ae31ad7704651b7f30fdf483001fa	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5A60E6E-431F-49A8-ABBE-FCEBF9C8730A}\WpadDecision = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-80-09-db-74-65\WpadDecision = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5A60E6E-431F-49A8-ABBE-FCEBF9C8730A}	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-80-09-db-74-65\WpadDecisionTime = 30977af91db3d801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Hixabdlwuopiy\5fd53e81 = 908791c3c1f2e479129b680b73f8e89589764331c5beafd3fbef777e7954aa24d5c5d3a135b99fb3b74fe0930cdaf55f722abc3323012141cf18e67d6bb1741fb68123921a33a8	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exeregsvr32.exe

pid	process
1488	rundll32.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1396	regsvr32.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1488 rundll32.exe
1396 regsvr32.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

cmd.exerundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1660 wrote to memory of 1868	1660	cmd.exe	rundll32.exe
PID 1660 wrote to memory of 1868	1660	cmd.exe	rundll32.exe
PID 1660 wrote to memory of 1868	1660	cmd.exe	rundll32.exe
PID 1868 wrote to memory of 1488	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1488	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1488	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1488	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1488	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1488	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1488	1868	rundll32.exe	rundll32.exe
PID 1488 wrote to memory of 1456	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1456	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1456	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1456	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1456	1488	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 1456	1488	rundll32.exe	explorer.exe
PID 1456 wrote to memory of 572	1456	explorer.exe	schtasks.exe
PID 1456 wrote to memory of 572	1456	explorer.exe	schtasks.exe
PID 1456 wrote to memory of 572	1456	explorer.exe	schtasks.exe
PID 1456 wrote to memory of 572	1456	explorer.exe	schtasks.exe
PID 1920 wrote to memory of 1104	1920	taskeng.exe	regsvr32.exe
PID 1920 wrote to memory of 1104	1920	taskeng.exe	regsvr32.exe
PID 1920 wrote to memory of 1104	1920	taskeng.exe	regsvr32.exe
PID 1920 wrote to memory of 1104	1920	taskeng.exe	regsvr32.exe
PID 1920 wrote to memory of 1104	1920	taskeng.exe	regsvr32.exe
PID 1104 wrote to memory of 1396	1104	regsvr32.exe	regsvr32.exe
PID 1104 wrote to memory of 1396	1104	regsvr32.exe	regsvr32.exe
PID 1104 wrote to memory of 1396	1104	regsvr32.exe	regsvr32.exe
PID 1104 wrote to memory of 1396	1104	regsvr32.exe	regsvr32.exe
PID 1104 wrote to memory of 1396	1104	regsvr32.exe	regsvr32.exe
PID 1104 wrote to memory of 1396	1104	regsvr32.exe	regsvr32.exe
PID 1104 wrote to memory of 1396	1104	regsvr32.exe	regsvr32.exe
PID 1396 wrote to memory of 1500	1396	regsvr32.exe	explorer.exe
PID 1396 wrote to memory of 1500	1396	regsvr32.exe	explorer.exe
PID 1396 wrote to memory of 1500	1396	regsvr32.exe	explorer.exe
PID 1396 wrote to memory of 1500	1396	regsvr32.exe	explorer.exe
PID 1396 wrote to memory of 1500	1396	regsvr32.exe	explorer.exe
PID 1396 wrote to memory of 1500	1396	regsvr32.exe	explorer.exe
PID 1500 wrote to memory of 976	1500	explorer.exe	reg.exe
PID 1500 wrote to memory of 976	1500	explorer.exe	reg.exe
PID 1500 wrote to memory of 976	1500	explorer.exe	reg.exe
PID 1500 wrote to memory of 976	1500	explorer.exe	reg.exe
PID 1500 wrote to memory of 1936	1500	explorer.exe	reg.exe
PID 1500 wrote to memory of 1936	1500	explorer.exe	reg.exe
PID 1500 wrote to memory of 1936	1500	explorer.exe	reg.exe
PID 1500 wrote to memory of 1936	1500	explorer.exe	reg.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\01970422_890527.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" 019338921.dll,DllInstall
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" 019338921.dll,DllInstall
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aqnrzjefxb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\019338921.dll\"" /SC ONCE /Z /ST 16:10 /ET 16:22
5⤵
- Creates scheduled task(s)
PID:572

C:\Windows\system32\taskeng.exe
taskeng.exe {190C66A0-FB44-444B-878C-1F0574B5D3D4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\019338921.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\019338921.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ykdlydtcqpai" /d "0"
5⤵
- Windows security bypass
PID:976

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Lqujhkuaxe" /d "0"
5⤵
- Windows security bypass
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\019338921.dll
Filesize
1.4MB

MD5
7bbeafc1ab9f9d1a48a99338ffec561c

SHA1
a4ce6de223addbdc66e747d3abd00b9f190fb5cb

SHA256
fca807ab91e7328195cafebe5761402f4d7066aef4c766c78a37f2c27fcf812c

SHA512
a32b34d9c03b6a1eaa1d409968d6d211a22320cc8b46955f8cda156f4956ea4a3d2e6d0a5fd8578e274e67db36e2696a7e8722647313333d3b7825d3e3a2c263

Download Submit
\Users\Admin\AppData\Local\Temp\019338921.dll
Filesize
1.4MB

MD5
7bbeafc1ab9f9d1a48a99338ffec561c

SHA1
a4ce6de223addbdc66e747d3abd00b9f190fb5cb

SHA256
fca807ab91e7328195cafebe5761402f4d7066aef4c766c78a37f2c27fcf812c

SHA512
a32b34d9c03b6a1eaa1d409968d6d211a22320cc8b46955f8cda156f4956ea4a3d2e6d0a5fd8578e274e67db36e2696a7e8722647313333d3b7825d3e3a2c263

Download Submit
memory/572-105-0x0000000000000000-mapping.dmp

Download
memory/976-124-0x0000000000000000-mapping.dmp

Download
memory/1104-107-0x0000000000000000-mapping.dmp

Download
memory/1396-117-0x0000000000480000-0x00000000004AD000-memory.dmp

Filesize
180KB

Download
memory/1396-110-0x0000000000000000-mapping.dmp

Download
memory/1396-122-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1396-118-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1396-115-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1396-116-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1396-114-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1396-113-0x0000000000B30000-0x0000000000C95000-memory.dmp

Filesize
1.4MB

Download
memory/1456-100-0x0000000000000000-mapping.dmp

Download
memory/1456-102-0x0000000074801000-0x0000000074803000-memory.dmp

Filesize
8KB

Download
memory/1456-104-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1456-106-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1488-103-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1488-96-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1488-92-0x0000000000000000-mapping.dmp

Download
memory/1488-94-0x00000000003B0000-0x0000000000515000-memory.dmp

Filesize
1.4MB

Download
memory/1488-95-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1488-97-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1488-99-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/1488-93-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1488-98-0x00000000006B0000-0x00000000006DD000-memory.dmp

Filesize
180KB

Download
memory/1500-119-0x0000000000000000-mapping.dmp

Download
memory/1500-123-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/1500-126-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/1660-54-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/1868-88-0x0000000000000000-mapping.dmp

Download
memory/1936-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads