agenttesla | 9bdd28e639ad1bd0bd8cab6e287279db86d951b1a488786c3435f7a5f39ac383

General

Target

b9a31ec9cf6084d9ea4543ae5454f6c0.exe
Size

35KB
MD5

b9a31ec9cf6084d9ea4543ae5454f6c0
SHA1

1b8fe311794d5ee7c85930d57e8ee521653342e0
SHA256

9bdd28e639ad1bd0bd8cab6e287279db86d951b1a488786c3435f7a5f39ac383
SHA512

91e0e5ee915b8217a84a85c860f0be6f145cac6188b0de7874d698952b7a1f7fb16cde22cb59a1a2fef5af131f81408ae28161c7ed900f1d75885f9bdb1c138f

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
binatonezx.cf
Port:
587
Username:
arinzelogs@binatonezx.cf
Password:
7213575aceACE@#$

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/372-129-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/372-130-0x000000000043765E-mapping.dmp	family_agenttesla
behavioral2/memory/372-142-0x00000000050D0000-0x00000000055CE000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts b9a31ec9cf6084d9ea4543ae5454f6c0.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe = "0"	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.exe

pid	process
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.exe

description pid process target process

PID 496 set thread context of 372 496 b9a31ec9cf6084d9ea4543ae5454f6c0.exe b9a31ec9cf6084d9ea4543ae5454f6c0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3248 timeout.exe

description	pid	process	target process
PID 496 set thread context of 372	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

pid	process
3248	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exeb9a31ec9cf6084d9ea4543ae5454f6c0.exeb9a31ec9cf6084d9ea4543ae5454f6c0.exe

pid	process
2228	powershell.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
372	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
372	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
2228	powershell.exe
2228	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.exepowershell.exeb9a31ec9cf6084d9ea4543ae5454f6c0.exe

description	pid	process
Token: SeDebugPrivilege	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	372	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.exe

pid process

372 b9a31ec9cf6084d9ea4543ae5454f6c0.exe

pid	process
372	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.execmd.exe

description	pid	process	target process
PID 496 wrote to memory of 2228	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	powershell.exe
PID 496 wrote to memory of 2228	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	powershell.exe
PID 496 wrote to memory of 2228	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	powershell.exe
PID 496 wrote to memory of 3456	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	cmd.exe
PID 496 wrote to memory of 3456	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	cmd.exe
PID 496 wrote to memory of 3456	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	cmd.exe
PID 3456 wrote to memory of 3248	3456	cmd.exe	timeout.exe
PID 3456 wrote to memory of 3248	3456	cmd.exe	timeout.exe
PID 3456 wrote to memory of 3248	3456	cmd.exe	timeout.exe
PID 496 wrote to memory of 584	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 584	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 584	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 372	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 372	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 372	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 372	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 372	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 372	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 372	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe
PID 496 wrote to memory of 372	496	b9a31ec9cf6084d9ea4543ae5454f6c0.exe	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

b9a31ec9cf6084d9ea4543ae5454f6c0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9a31ec9cf6084d9ea4543ae5454f6c0.exe

C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe
"C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe"
1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3248

C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe
"C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe"
2⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe
"C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

5

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/372-188-0x00000000050D0000-0x00000000055CE000-memory.dmp

Filesize
5.0MB

Download
memory/372-142-0x00000000050D0000-0x00000000055CE000-memory.dmp

Filesize
5.0MB

Download
memory/372-130-0x000000000043765E-mapping.dmp

Download
memory/496-116-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/496-117-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/496-118-0x0000000006C00000-0x0000000006CAD000-memory.dmp

Filesize
692KB

Download
memory/496-119-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

Filesize
4KB

Download
memory/496-120-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/496-114-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2228-132-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/2228-140-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2228-121-0x0000000000000000-mapping.dmp

Download
memory/2228-126-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/2228-125-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/2228-133-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/2228-135-0x0000000006C72000-0x0000000006C73000-memory.dmp

Filesize
4KB

Download
memory/2228-137-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/2228-138-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/2228-128-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/2228-141-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/2228-166-0x0000000006C73000-0x0000000006C74000-memory.dmp

Filesize
4KB

Download
memory/2228-143-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/2228-151-0x00000000090D0000-0x0000000009103000-memory.dmp

Filesize
204KB

Download
memory/2228-158-0x00000000090B0000-0x00000000090B1000-memory.dmp

Filesize
4KB

Download
memory/2228-163-0x0000000009130000-0x0000000009131000-memory.dmp

Filesize
4KB

Download
memory/2228-164-0x00000000095F0000-0x00000000095F1000-memory.dmp

Filesize
4KB

Download
memory/2228-165-0x000000007F760000-0x000000007F761000-memory.dmp

Filesize
4KB

Download
memory/3248-127-0x0000000000000000-mapping.dmp

Download
memory/3456-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads