qakbot | 357b4979324e2065adc8e6bd11cd7161f830250cae30f50fb13edd70fd2b506b

General

Target

3.bin
Sample

191111-sbsq7xbqea
SHA256

357b4979324e2065adc8e6bd11cd7161f830250cae30f50fb13edd70fd2b506b

Score

N/A

Malware Config

Extracted

Family

qakbot

Campaign

1573123220

C2

206.51.202.106:50003

173.3.132.17:995

75.131.72.82:443

68.238.144.55:443

100.4.185.8:443

5.182.39.156:443

24.201.68.105:2078

23.240.185.215:443

69.92.54.95:995

68.131.9.203:443

187.163.139.200:993

75.81.25.223:995

32.208.1.239:443

170.10.78.48:443

74.194.4.181:443

81.147.42.195:2222

71.30.56.170:443

174.16.234.171:993

66.214.75.176:443

47.153.115.154:443

Signatures

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

3.bin.exe3.bin.exeijsethyt.exeijsethyt.exeexplorer.exe3.bin.exeijsethyt.exeijsethyt.exe

pid process

4932 3.bin.exe
4976 3.bin.exe
68 ijsethyt.exe
988 ijsethyt.exe
2916 explorer.exe
4676 3.bin.exe
4824 ijsethyt.exe
3244 ijsethyt.exe

pid	process
4932	3.bin.exe
4976	3.bin.exe
68	ijsethyt.exe
988	ijsethyt.exe
2916	explorer.exe
4676	3.bin.exe
4824	ijsethyt.exe
3244	ijsethyt.exe

Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 18 IoCs

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3.bin.exeijsethyt.exeijsethyt.exe

description	ioc	pid	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000	4976	3.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc	4976	3.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service	4976	3.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	4976	3.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	4976	3.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service	4976	3.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000	988	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc	988	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service	988	ijsethyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	988	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	988	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service	988	ijsethyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000	3244	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc	3244	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service	3244	ijsethyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	3244	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	3244	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service	3244	ijsethyt.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ijsethyt.exe

pid process

68 ijsethyt.exe

pid	process
68	ijsethyt.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Processes:

reg.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr = "0"	4884	reg.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	pid	process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\swqoz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Onjpsefhpr\\ijsethyt.exe\""	2916	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

ijsethyt.exeijsethyt.exeijsethyt.exeijsethyt.exe

pid process

68 ijsethyt.exe
988 ijsethyt.exe
4824 ijsethyt.exe
3244 ijsethyt.exe

pid	process
68	ijsethyt.exe
988	ijsethyt.exe
4824	ijsethyt.exe
3244	ijsethyt.exe

Uses Task Scheduler COM API 1 TTPs 14 IoCs

persistence

Query Registry

T1012

Processes:

schtasks.exe

description	ioc	pid	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	4928	schtasks.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	4928	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	4928	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	4928	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	4928	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	4928	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	4928	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	4928	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	4928	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	4928	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	4928	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	4928	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	4928	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	4928	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs
evasion spreading

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3596 PING.EXE

pid	process
3596	PING.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	2036	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	2036	svchost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3.bin.exeSppExtComObj.exeijsethyt.exe3.bin.exeijsethyt.exe

description	pid	process	target process
PID 4932 wrote to memory of 4976	4932	3.bin.exe	3.bin.exe
PID 5088 wrote to memory of 5116	5088	SppExtComObj.exe	SLUI.exe
PID 4932 wrote to memory of 68	4932	3.bin.exe	ijsethyt.exe
PID 4932 wrote to memory of 1676	4932	3.bin.exe	schtasks.exe
PID 68 wrote to memory of 988	68	ijsethyt.exe	ijsethyt.exe
PID 68 wrote to memory of 2916	68	ijsethyt.exe	explorer.exe
PID 4676 wrote to memory of 3804	4676	3.bin.exe	reg.exe
PID 4676 wrote to memory of 4280	4676	3.bin.exe	reg.exe
PID 4676 wrote to memory of 4240	4676	3.bin.exe	reg.exe
PID 4676 wrote to memory of 3736	4676	3.bin.exe	reg.exe
PID 4676 wrote to memory of 4244	4676	3.bin.exe	reg.exe
PID 4676 wrote to memory of 3692	4676	3.bin.exe	reg.exe
PID 4676 wrote to memory of 3740	4676	3.bin.exe	reg.exe
PID 4676 wrote to memory of 4844	4676	3.bin.exe	reg.exe
PID 4676 wrote to memory of 4884	4676	3.bin.exe	reg.exe
PID 4676 wrote to memory of 4824	4676	3.bin.exe	ijsethyt.exe
PID 4676 wrote to memory of 1188	4676	3.bin.exe	cmd.exe
PID 4676 wrote to memory of 4928	4676	3.bin.exe	schtasks.exe
PID 4824 wrote to memory of 3244	4824	ijsethyt.exe	ijsethyt.exe

Qakbot persistence 1 IoCs
trojan

Processes:

explorer.exe

description ioc pid process

Event created 2ijsethyt2916 2916 explorer.exe

description	ioc	pid	process
Event created	2ijsethyt2916	2916	explorer.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exesvchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"	3804	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"	4280	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	4244	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	3692	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	3740	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	4844	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	436	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	436	svchost.exe

qakbot family
family qakbot

Drops file in system dir 5 IoCs

Processes:

svchost.exe

description	ioc	pid	process
File opened for modification	C:\Windows\Debug\ESE.TXT	4448	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4448	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4448	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4448	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4448	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3.bin.exe
"C:\Users\Admin\AppData\Local\Temp\3.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\3.bin.exe
C:\Users\Admin\AppData\Local\Temp\3.bin.exe /C
1⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s) (likely anti-VM)
PID:4976

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:5116

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dpjequf /tr "\"C:\Users\Admin\AppData\Local\Temp\3.bin.exe\" /I dpjequf" /SC ONCE /Z /ST 11:28 /ET 11:40
1⤵
PID:1676

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
1⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
PID:988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
- Qakbot persistence
PID:2916

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:4448

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\3.bin.exe
C:\Users\Admin\AppData\Local\Temp\3.bin.exe /I dpjequf
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:3804

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:4280

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
PID:4240

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
PID:3736

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:4244

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:3692

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:3740

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:4844

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"
1⤵
- Windows security bypass
PID:4884

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\3.bin.exe"
1⤵
PID:1188

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN dpjequf
1⤵
- Uses Task Scheduler COM API
PID:4928

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
1⤵
- Runs ping.exe
PID:3596

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:2036

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:1476

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
1⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
PID:3244

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089
T1060

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
memory/68-5-0x0000000002370000-0x0000000002402000-memory.dmp

Filesize
584KB

Download
memory/988-4-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/3244-20-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/4976-0-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads