qakbot | d2520eaede1f6f07a4e8d23607a5786f7e7290f30afaae3bbae0d3784a41bfbd

General

Target

hola.html
Size

792KB
MD5

f8463962698412317442b7fec3e90e50
SHA1

db969a6149e6e7346c18f56430b6d12fffc5ffc8
SHA256

d2520eaede1f6f07a4e8d23607a5786f7e7290f30afaae3bbae0d3784a41bfbd
SHA512

94715707aed563a2c128f98b83f4265a4ff376b863bc87e46d6f623ac829ff157557338c8c7645e8ad4c28a29f102dc657e61e8ea448cbfeb2d4c2822cc30704
SSDEEP

12288:+73GOdabXoA27IkrwQql0tfCal/ApRt9IGase9CIZZl7X6bfEogvSeOxjKWE0:+7uXG7qQJFC93gzCSIfRU6+Wf

Score

10^/10

qakbot bb 1664184863 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

BB

Campaign

1664184863

C2

197.204.227.155:443

123.23.64.230:443

173.218.180.91:443

111.125.157.230:443

70.49.33.200:2222

149.28.38.16:995

86.132.13.105:2078

149.28.38.16:443

45.77.159.252:995

45.77.159.252:443

149.28.63.197:995

144.202.15.58:443

45.63.10.144:443

45.63.10.144:995

149.28.63.197:443

144.202.15.58:995

39.121.226.109:443

177.255.14.99:995

134.35.10.30:443

99.232.140.205:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WScript.execmd.exeWScript.execmd.exe

description	ioc	process
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 39384a26b9aed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3432673553"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30986708"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370981434"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F7F50117-3DC7-11ED-89AC-E64E24383C5C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 506415ced4d1d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986708"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986708"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{5FBC7B14-099A-4304-90E0-6AC121B1F05D}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3432673553"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3444390813"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000f9a6799c32ba3ca923737d8b2fc6d3fbb3c6957e97a4017a63934a1fd79517e6000000000e800000000200002000000092225ae2fae04f712d79cf24886e30dcee02c1ac63ef3bd334be045628723a2e20000000b7981eb37a04b7c2a51ed7d43c0266b0610f89f20847f7b9da39980e3306397f4000000071c2fd2296b7cffc71373eb6fb2bef08e8ee50fd6d2593626f5c154d94a36b23a18a16a11b6e9ce3077bf70f4e25dca2497d731006f3e3920df84c407ba73651	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000076958867895cc1d8abc24a63911a7cd3c1bf1c8b68fe613a2552e9ae7370dd04000000000e80000000020000200000004f2e9faf69dde1b74247c5d01845ccaa97971e7f9ca6c5b891add5e09bd98fa1200000000bf04c55f2443a282b4686de16e2639e2c9bc2abfe8e1f489216a2ad474d9f68400000006498751168c27952fb409ab6461a9794aa0def0c3ea82cde17f556e28e2c1f2685ab7c0b82cbe78084947456d2dbd0bba3392e122213605f64b91f930be18aaf	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 707d09ced4d1d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry class 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings iexplore.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4460 regsvr32.exe
4460 regsvr32.exe
1472 regsvr32.exe
1472 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4460 regsvr32.exe
1472 regsvr32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2368 iexplore.exe
2368 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2368 iexplore.exe
2368 iexplore.exe
4120 IEXPLORE.EXE
4120 IEXPLORE.EXE
4120 IEXPLORE.EXE
4120 IEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	iexplore.exe

pid	process
4460	regsvr32.exe
4460	regsvr32.exe
1472	regsvr32.exe
1472	regsvr32.exe

pid	process
4460	regsvr32.exe
1472	regsvr32.exe

pid	process
2368	iexplore.exe
2368	iexplore.exe

pid	process
2368	iexplore.exe
2368	iexplore.exe
4120	IEXPLORE.EXE
4120	IEXPLORE.EXE
4120	IEXPLORE.EXE
4120	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

iexplore.exeWScript.execmd.exeregsvr32.exeregsvr32.exeWScript.execmd.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2368 wrote to memory of 4120	2368	iexplore.exe	IEXPLORE.EXE
PID 2368 wrote to memory of 4120	2368	iexplore.exe	IEXPLORE.EXE
PID 2368 wrote to memory of 4120	2368	iexplore.exe	IEXPLORE.EXE
PID 4880 wrote to memory of 4368	4880	WScript.exe	cmd.exe
PID 4880 wrote to memory of 4368	4880	WScript.exe	cmd.exe
PID 4368 wrote to memory of 3636	4368	cmd.exe	regsvr32.exe
PID 4368 wrote to memory of 3636	4368	cmd.exe	regsvr32.exe
PID 3636 wrote to memory of 4460	3636	regsvr32.exe	regsvr32.exe
PID 3636 wrote to memory of 4460	3636	regsvr32.exe	regsvr32.exe
PID 3636 wrote to memory of 4460	3636	regsvr32.exe	regsvr32.exe
PID 4460 wrote to memory of 2328	4460	regsvr32.exe	wermgr.exe
PID 4460 wrote to memory of 2328	4460	regsvr32.exe	wermgr.exe
PID 4460 wrote to memory of 2328	4460	regsvr32.exe	wermgr.exe
PID 4460 wrote to memory of 2328	4460	regsvr32.exe	wermgr.exe
PID 4460 wrote to memory of 2328	4460	regsvr32.exe	wermgr.exe
PID 3348 wrote to memory of 4672	3348	WScript.exe	cmd.exe
PID 3348 wrote to memory of 4672	3348	WScript.exe	cmd.exe
PID 4672 wrote to memory of 2012	4672	cmd.exe	regsvr32.exe
PID 4672 wrote to memory of 2012	4672	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 1472	2012	regsvr32.exe	regsvr32.exe
PID 2012 wrote to memory of 1472	2012	regsvr32.exe	regsvr32.exe
PID 2012 wrote to memory of 1472	2012	regsvr32.exe	regsvr32.exe
PID 1472 wrote to memory of 1308	1472	regsvr32.exe	wermgr.exe
PID 1472 wrote to memory of 1308	1472	regsvr32.exe	wermgr.exe
PID 1472 wrote to memory of 1308	1472	regsvr32.exe	wermgr.exe
PID 1472 wrote to memory of 1308	1472	regsvr32.exe	wermgr.exe
PID 1472 wrote to memory of 1308	1472	regsvr32.exe	wermgr.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\hola.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\banners\womanizedBarnstormers.js"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\banners\mentallyRedeemers.cmd" svr"
2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\system32\regsvr32.exe
regsvr32 banners\rescales.db
3⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\regsvr32.exe
banners\rescales.db
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
5⤵
PID:2328

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\banners\womanizedBarnstormers.js"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\banners\mentallyRedeemers.cmd" svr"
2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\system32\regsvr32.exe
regsvr32 banners\rescales.db
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\regsvr32.exe
banners\rescales.db
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
5⤵
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
ec21d7b0db946b7ecab4c4ead789e338

SHA1
b708c1a90566be72204ed5340bd05d7224e51403

SHA256
e15133cd7594e706cf5141df1a4780c26e101c85c68262346f91b38d546cd47e

SHA512
d34772501233d31566db776e19b58a4d5b0ee4a76613ac0e9960edaf42bcda35af3d83592f71cb53a1ef9f428ea6e67e0624bd1c84d29f04c7a360ffbc03d1fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
f83d47b08f83acd1b6a3ada082f4691b

SHA1
ea13007274bfbf140412c836824e4026b7adb41b

SHA256
e14306b1f946ad498b8d08e10830abc56b67a4952a3c173bb724710f911e6722

SHA512
a78b00ac62fac746e1da2daad9e9aebbdcecd0dc7bfe3aee55a46021bc6c9c006de0b30429a68dcc6900b83e1e03a25404c4bec296e646c99182353c39b12eef

Download Submit
C:\Users\Admin\Downloads\Art#1015(Sept2622).zip.l4m598k.partial
Filesize
592KB

MD5
b09e1bbe558cd40e3b34fd486d06aaa2

SHA1
e1c8c0ff40cf05c4065363cfa29cfe9b02525794

SHA256
684d62ff07a87386bc347bedd988b89b3f15866b91cd4912666447e807adcc1f

SHA512
bae625a452f234ac0fd50eead983f994b6a3a4631089cf5e230745c895433b9eb2c2f3d93b4e603ca20f342e696d29221cda1f4695119a710985fbd23044929c

Download Submit
memory/1308-154-0x0000000000000000-mapping.dmp

Download
memory/1308-156-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/1472-152-0x0000000002760000-0x00000000027A1000-memory.dmp

Filesize
260KB

Download
memory/1472-155-0x00000000027D0000-0x00000000027F2000-memory.dmp

Filesize
136KB

Download
memory/1472-153-0x00000000027D0000-0x00000000027F2000-memory.dmp

Filesize
136KB

Download
memory/1472-151-0x00000000027D0000-0x00000000027F2000-memory.dmp

Filesize
136KB

Download
memory/1472-149-0x0000000000000000-mapping.dmp

Download
memory/1472-150-0x0000000002050000-0x0000000002168000-memory.dmp

Filesize
1.1MB

Download
memory/2012-148-0x0000000000000000-mapping.dmp

Download
memory/2328-144-0x0000000000000000-mapping.dmp

Download
memory/2328-145-0x0000000000F50000-0x0000000000F72000-memory.dmp

Filesize
136KB

Download
memory/3636-139-0x0000000000000000-mapping.dmp

Download
memory/4368-138-0x0000000000000000-mapping.dmp

Download
memory/4460-140-0x0000000000000000-mapping.dmp

Download
memory/4460-146-0x0000000002BA0000-0x0000000002BC2000-memory.dmp

Filesize
136KB

Download
memory/4460-143-0x0000000002BA0000-0x0000000002BC2000-memory.dmp

Filesize
136KB

Download
memory/4460-142-0x0000000002B30000-0x0000000002B71000-memory.dmp

Filesize
260KB

Download
memory/4460-141-0x0000000002BA0000-0x0000000002BC2000-memory.dmp

Filesize
136KB

Download
memory/4672-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads