qakbot | 112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515

General

Target

sj.exe
Size

2.6MB
MD5

bce0df8721504d50f4497c0a0a2c090d
SHA1

2c5b190d19f0f58e156bd1b28434701cea09cc23
SHA256

112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515
SHA512

8eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc
SSDEEP

12288:qlQq2wwLHqpVxTp5WK1QAPPAV/Ykfgn6ggKh:u2wwT45xQwkfg93h

Score

10^/10

qakbot spx143 1592482956 banker cryptone evasion packer stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx143

Campaign

1592482956

C2

39.36.254.179:995

24.139.132.70:443

24.202.42.48:2222

72.204.242.138:443

172.242.156.50:995

72.204.242.138:20

68.174.15.223:443

74.193.197.246:443

96.56.237.174:990

64.19.74.29:995

70.168.130.172:443

189.236.166.167:443

68.4.137.211:443

76.187.8.160:443

76.86.57.179:2222

73.226.220.56:443

67.250.184.157:443

75.183.171.155:3389

173.172.205.216:443

173.3.132.17:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii = "0"	reg.exe

CryptOne packer 5 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe	cryptone

Executes dropped EXE 4 IoCs

Processes:

oiggfay.exeoiggfay.exeoiggfay.exeoiggfay.exe

pid process

4944 oiggfay.exe
2924 oiggfay.exe
2256 oiggfay.exe
2788 oiggfay.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4944	oiggfay.exe
2924	oiggfay.exe
2256	oiggfay.exe
2788	oiggfay.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sj.exeoiggfay.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	sj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	sj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	oiggfay.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	oiggfay.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	oiggfay.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	oiggfay.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	sj.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	sj.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	sj.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	sj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	oiggfay.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	oiggfay.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4184 schtasks.exe

pid	process
4184	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

sj.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	sj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	sj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	sj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	sj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	sj.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2688 PING.EXE

pid	process
2688	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

sj.exesj.exeoiggfay.exeoiggfay.exeexplorer.exesj.exeoiggfay.exe

pid	process
2868	sj.exe
2868	sj.exe
2992	sj.exe
2992	sj.exe
2992	sj.exe
2992	sj.exe
4944	oiggfay.exe
4944	oiggfay.exe
2924	oiggfay.exe
2924	oiggfay.exe
2924	oiggfay.exe
2924	oiggfay.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
460	explorer.exe
1160	sj.exe
1160	sj.exe
2256	oiggfay.exe
2256	oiggfay.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

oiggfay.exe

pid process

4944 oiggfay.exe

pid	process
4944	oiggfay.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

sj.exeoiggfay.exesj.execmd.exeoiggfay.exe

description	pid	process	target process
PID 2868 wrote to memory of 2992	2868	sj.exe	sj.exe
PID 2868 wrote to memory of 2992	2868	sj.exe	sj.exe
PID 2868 wrote to memory of 2992	2868	sj.exe	sj.exe
PID 2868 wrote to memory of 4944	2868	sj.exe	oiggfay.exe
PID 2868 wrote to memory of 4944	2868	sj.exe	oiggfay.exe
PID 2868 wrote to memory of 4944	2868	sj.exe	oiggfay.exe
PID 2868 wrote to memory of 4184	2868	sj.exe	schtasks.exe
PID 2868 wrote to memory of 4184	2868	sj.exe	schtasks.exe
PID 2868 wrote to memory of 4184	2868	sj.exe	schtasks.exe
PID 4944 wrote to memory of 2924	4944	oiggfay.exe	oiggfay.exe
PID 4944 wrote to memory of 2924	4944	oiggfay.exe	oiggfay.exe
PID 4944 wrote to memory of 2924	4944	oiggfay.exe	oiggfay.exe
PID 4944 wrote to memory of 460	4944	oiggfay.exe	explorer.exe
PID 4944 wrote to memory of 460	4944	oiggfay.exe	explorer.exe
PID 4944 wrote to memory of 460	4944	oiggfay.exe	explorer.exe
PID 4944 wrote to memory of 460	4944	oiggfay.exe	explorer.exe
PID 1160 wrote to memory of 2676	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 2676	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 4204	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 4204	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 5056	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 5056	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 3264	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 3264	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 3320	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 3320	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 3424	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 3424	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 668	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 668	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 1444	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 1444	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 356	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 356	1160	sj.exe	reg.exe
PID 1160 wrote to memory of 2256	1160	sj.exe	oiggfay.exe
PID 1160 wrote to memory of 2256	1160	sj.exe	oiggfay.exe
PID 1160 wrote to memory of 2256	1160	sj.exe	oiggfay.exe
PID 1160 wrote to memory of 3948	1160	sj.exe	cmd.exe
PID 1160 wrote to memory of 3948	1160	sj.exe	cmd.exe
PID 1160 wrote to memory of 3052	1160	sj.exe	schtasks.exe
PID 1160 wrote to memory of 3052	1160	sj.exe	schtasks.exe
PID 3948 wrote to memory of 2688	3948	cmd.exe	PING.EXE
PID 3948 wrote to memory of 2688	3948	cmd.exe	PING.EXE
PID 2256 wrote to memory of 2788	2256	oiggfay.exe	oiggfay.exe
PID 2256 wrote to memory of 2788	2256	oiggfay.exe	oiggfay.exe
PID 2256 wrote to memory of 2788	2256	oiggfay.exe	oiggfay.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sj.exe
"C:\Users\Admin\AppData\Local\Temp\sj.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\sj.exe
C:\Users\Admin\AppData\Local\Temp\sj.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:460

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dwjjzcfcwv /tr "\"C:\Users\Admin\AppData\Local\Temp\sj.exe\" /I dwjjzcfcwv" /SC ONCE /Z /ST 18:46 /ET 18:58
2⤵
- Creates scheduled task(s)
PID:4184

C:\Users\Admin\AppData\Local\Temp\sj.exe
C:\Users\Admin\AppData\Local\Temp\sj.exe /I dwjjzcfcwv
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:2676

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:4204

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:5056

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:3264

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:3320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:3424

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:668

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:1444

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii" /d "0"
2⤵
- Windows security bypass
PID:356

C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe /C
3⤵
- Executes dropped EXE
PID:2788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\sj.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:2688

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN dwjjzcfcwv
2⤵
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.dat
Filesize
63B

MD5
b74db07e8b4d6d306d2eef2c61541b62

SHA1
d0e0abbd2e4f50606bc3ce2b9b153743efde744d

SHA256
45a7a6ba03e1f93767b8a048fbb6cd49294a930ce9562749b81b57abe7827057

SHA512
d7121bc5cec98b8232d324c270401602547f7dcf84a771ac39ea722944149e6d5cbc4362b1d25e00cbd3bfcd3203ea05430c7bdcbc68a65784461012789dd701

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
Filesize
2.6MB

MD5
bce0df8721504d50f4497c0a0a2c090d

SHA1
2c5b190d19f0f58e156bd1b28434701cea09cc23

SHA256
112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515

SHA512
8eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
Filesize
2.6MB

MD5
bce0df8721504d50f4497c0a0a2c090d

SHA1
2c5b190d19f0f58e156bd1b28434701cea09cc23

SHA256
112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515

SHA512
8eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
Filesize
2.6MB

MD5
bce0df8721504d50f4497c0a0a2c090d

SHA1
2c5b190d19f0f58e156bd1b28434701cea09cc23

SHA256
112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515

SHA512
8eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
Filesize
2.6MB

MD5
bce0df8721504d50f4497c0a0a2c090d

SHA1
2c5b190d19f0f58e156bd1b28434701cea09cc23

SHA256
112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515

SHA512
8eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe
Filesize
2.6MB

MD5
bce0df8721504d50f4497c0a0a2c090d

SHA1
2c5b190d19f0f58e156bd1b28434701cea09cc23

SHA256
112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515

SHA512
8eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc

Download Submit
memory/460-151-0x00000000027E0000-0x0000000002813000-memory.dmp

Filesize
204KB

Download
memory/460-161-0x0000000000990000-0x00000000009CA000-memory.dmp

Filesize
232KB

Download
memory/460-158-0x00000000027E0000-0x0000000002813000-memory.dmp

Filesize
204KB

Download
memory/460-162-0x00000000027E0000-0x0000000002813000-memory.dmp

Filesize
204KB

Download
memory/460-156-0x00000000027E0000-0x0000000002813000-memory.dmp

Filesize
204KB

Download
memory/460-150-0x0000000000990000-0x00000000009CA000-memory.dmp

Filesize
232KB

Download
memory/460-155-0x00000000027E0000-0x0000000002813000-memory.dmp

Filesize
204KB

Download
memory/460-152-0x00000000027E0000-0x0000000002813000-memory.dmp

Filesize
204KB

Download
memory/1160-163-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/1160-165-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2256-167-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2868-135-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2868-133-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2868-140-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2868-134-0x0000000000930000-0x0000000000967000-memory.dmp

Filesize
220KB

Download
memory/2868-145-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2924-149-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2924-148-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2992-136-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2992-137-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4944-154-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4944-147-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads