qakbot | 2b9ef4a9f47402d171eec28acadf3753cbb33c9bc6ec26d99aa060127a470e95

General

Target

7.bin
Sample

191111-zl9l5y6lp2
SHA256

2b9ef4a9f47402d171eec28acadf3753cbb33c9bc6ec26d99aa060127a470e95

Score

N/A

Malware Config

Extracted

Family

qakbot

Campaign

1573023013

C2

107.12.140.181:443

67.5.33.229:2078

184.74.101.234:995

172.78.45.13:995

181.95.16.207:443

50.246.229.50:443

207.179.194.91:443

67.246.16.250:995

75.110.250.89:443

173.91.254.236:443

50.78.93.74:995

73.104.218.229:0

47.23.101.26:993

88.111.255.235:2222

12.5.37.3:995

24.30.71.200:443

72.29.181.77:2078

98.155.154.220:443

196.194.74.33:2222

47.214.144.253:443

Signatures

Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 18 IoCs

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7.bin.exeijsethyt.exeijsethyt.exe

description	ioc	pid	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000	5032	7.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc	5032	7.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service	5032	7.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	5032	7.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	5032	7.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service	5032	7.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000	1016	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc	1016	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service	1016	ijsethyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	1016	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	1016	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service	1016	ijsethyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000	1080	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc	1080	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service	1080	ijsethyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	1080	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	1080	ijsethyt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service	1080	ijsethyt.exe

Executes dropped EXE 4 IoCs

Processes:

ijsethyt.exeijsethyt.exeijsethyt.exeijsethyt.exe

pid process

404 ijsethyt.exe
1016 ijsethyt.exe
4604 ijsethyt.exe
1080 ijsethyt.exe

pid	process
404	ijsethyt.exe
1016	ijsethyt.exe
4604	ijsethyt.exe
1080	ijsethyt.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7.bin.exeSppExtComObj.exeijsethyt.exe7.bin.exeijsethyt.exe

description	pid	process	target process
PID 4944 wrote to memory of 5032	4944	7.bin.exe	7.bin.exe
PID 5100 wrote to memory of 1980	5100	SppExtComObj.exe	SLUI.exe
PID 4944 wrote to memory of 404	4944	7.bin.exe	ijsethyt.exe
PID 4944 wrote to memory of 384	4944	7.bin.exe	schtasks.exe
PID 404 wrote to memory of 1016	404	ijsethyt.exe	ijsethyt.exe
PID 404 wrote to memory of 4480	404	ijsethyt.exe	explorer.exe
PID 4900 wrote to memory of 5048	4900	7.bin.exe	reg.exe
PID 4900 wrote to memory of 1700	4900	7.bin.exe	reg.exe
PID 4900 wrote to memory of 2568	4900	7.bin.exe	reg.exe
PID 4900 wrote to memory of 3544	4900	7.bin.exe	reg.exe
PID 4900 wrote to memory of 2968	4900	7.bin.exe	reg.exe
PID 4900 wrote to memory of 4956	4900	7.bin.exe	reg.exe
PID 4900 wrote to memory of 2104	4900	7.bin.exe	reg.exe
PID 4900 wrote to memory of 4416	4900	7.bin.exe	reg.exe
PID 4900 wrote to memory of 4772	4900	7.bin.exe	reg.exe
PID 4900 wrote to memory of 4604	4900	7.bin.exe	ijsethyt.exe
PID 4900 wrote to memory of 608	4900	7.bin.exe	cmd.exe
PID 4900 wrote to memory of 672	4900	7.bin.exe	schtasks.exe
PID 4604 wrote to memory of 1080	4604	ijsethyt.exe	ijsethyt.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ijsethyt.exe

pid process

404 ijsethyt.exe

pid	process
404	ijsethyt.exe

Uses Task Scheduler COM API 1 TTPs 14 IoCs

persistence

Query Registry

T1012

Processes:

schtasks.exe

description	ioc	pid	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	672	schtasks.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	672	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	672	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	672	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	672	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	672	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	672	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	672	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	672	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	672	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	672	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	672	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	672	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	672	schtasks.exe

qakbot family
family qakbot
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

7.bin.exe7.bin.exeijsethyt.exeijsethyt.exeexplorer.exe7.bin.exeijsethyt.exeijsethyt.exe

pid process

4944 7.bin.exe
5032 7.bin.exe
404 ijsethyt.exe
1016 ijsethyt.exe
4480 explorer.exe
4900 7.bin.exe
4604 ijsethyt.exe
1080 ijsethyt.exe

pid	process
4944	7.bin.exe
5032	7.bin.exe
404	ijsethyt.exe
1016	ijsethyt.exe
4480	explorer.exe
4900	7.bin.exe
4604	ijsethyt.exe
1080	ijsethyt.exe

Drops file in system dir 5 IoCs

Processes:

svchost.exe

description	ioc	pid	process
File opened for modification	C:\Windows\Debug\ESE.TXT	4608	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4608	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4608	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4608	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4608	svchost.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	3532	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	3532	svchost.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Processes:

reg.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr = "0"	4772	reg.exe

Runs ping.exe 1 TTPs 1 IoCs
evasion spreading

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

716 PING.EXE
Qakbot persistence 1 IoCs
trojan

Processes:

explorer.exe

description ioc pid process

Event created 2ijsethyt4480 4480 explorer.exe

pid	process
716	PING.EXE

description	ioc	pid	process
Event created	2ijsethyt4480	4480	explorer.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4864	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4864	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"	5048	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"	1700	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	2968	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	4956	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	2104	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	4416	reg.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	pid	process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\rugffwdk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Onjpsefhpr\\ijsethyt.exe\""	4480	explorer.exe

C:\Users\Admin\AppData\Local\Temp\7.bin.exe
"C:\Users\Admin\AppData\Local\Temp\7.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Users\Admin\AppData\Local\Temp\7.bin.exe
C:\Users\Admin\AppData\Local\Temp\7.bin.exe /C
1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Suspicious behavior: EnumeratesProcesses
PID:5032

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:1980

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn zknnqsi /tr "\"C:\Users\Admin\AppData\Local\Temp\7.bin.exe\" /I zknnqsi" /SC ONCE /Z /ST 11:29 /ET 11:41
1⤵
PID:384

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Qakbot persistence
- Adds Run entry to start application
PID:4480

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:4608

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4612

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:3532

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4892

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4864

C:\Users\Admin\AppData\Local\Temp\7.bin.exe
C:\Users\Admin\AppData\Local\Temp\7.bin.exe /I zknnqsi
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:5048

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:1700

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
PID:2568

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
PID:3544

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:2968

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:4956

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:2104

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:4416

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"
1⤵
- Windows security bypass
PID:4772

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\7.bin.exe"
1⤵
PID:608

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN zknnqsi
1⤵
- Uses Task Scheduler COM API
PID:672

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
1⤵
- Runs ping.exe
PID:716

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089
T1060

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe

Download Submit
memory/404-5-0x0000000002490000-0x0000000002522000-memory.dmp

Filesize
584KB

Download
memory/1016-4-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/1080-20-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/5032-0-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads