agenttesla | edb5f7136ced51208b8c6503f67f9b9153c4ac47a4876b32d82e69208de51509

General

Target

Invoice NeededPDF.exe
Size

1.1MB
MD5

9cf504947d9ba331fb5d7dab266ded76
SHA1

fbbdd9841da2b426c61db1772da07e9642a75f10
SHA256

edb5f7136ced51208b8c6503f67f9b9153c4ac47a4876b32d82e69208de51509
SHA512

d9f1d86a36d3ed9b6131036c3fac03ec3dc5dd0fb9c5bb255ba04adaf98297092071f83390d42a6e7b3c7ac81ee8f570f1aa4fbaf998829db57d29ed16abb7f9

Score

10^/10

agenttesla nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

sys2021.linkpc.net:11940

23.94.82.41:11940

Mutex

de7e01ad-963b-4e14-81aa-08dfb351f0fe

Attributes

activate_away_mode
false
backup_connection_host
23.94.82.41
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-04-24T08:14:59.254967636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
11940
default_group
Do
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
de7e01ad-963b-4e14-81aa-08dfb351f0fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sys2021.linkpc.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Wxyjiizwdkrdwemkrfkmfjet 1.exeInvoice NeededPDF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\ChromesOffice\\Officechrome.exe\","	Wxyjiizwdkrdwemkrfkmfjet 1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\ChromesOffice\\Officechrome.exe\","	Invoice NeededPDF.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1112-153-0x0000000000437B0E-mapping.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

Wxyjiizwdkrdwemkrfkmfjet 1.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

pid process

1984 Wxyjiizwdkrdwemkrfkmfjet 1.exe
1112 Wxyjiizwdkrdwemkrfkmfjet 1.exe
Loads dropped DLL 2 IoCs

Processes:

WScript.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

pid process

768 WScript.exe
1984 Wxyjiizwdkrdwemkrfkmfjet 1.exe

pid	process
1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe
1112	Wxyjiizwdkrdwemkrfkmfjet 1.exe

pid	process
768	WScript.exe
1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Invoice NeededPDF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe"	Invoice NeededPDF.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Invoice NeededPDF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Invoice NeededPDF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Invoice NeededPDF.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Invoice NeededPDF.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

description	pid	process	target process
PID 528 set thread context of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 1984 set thread context of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe

Drops file in Program Files directory 2 IoCs

Processes:

Invoice NeededPDF.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Service\dpisv.exe	Invoice NeededPDF.exe
File opened for modification	C:\Program Files (x86)\DPI Service\dpisv.exe	Invoice NeededPDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Invoice NeededPDF.exeInvoice NeededPDF.exepowershell.exeWxyjiizwdkrdwemkrfkmfjet 1.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

pid	process
528	Invoice NeededPDF.exe
528	Invoice NeededPDF.exe
436	Invoice NeededPDF.exe
436	Invoice NeededPDF.exe
436	Invoice NeededPDF.exe
1832	powershell.exe
1832	powershell.exe
436	Invoice NeededPDF.exe
436	Invoice NeededPDF.exe
436	Invoice NeededPDF.exe
1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe
1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe
1112	Wxyjiizwdkrdwemkrfkmfjet 1.exe
1112	Wxyjiizwdkrdwemkrfkmfjet 1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Invoice NeededPDF.exe

pid process

436 Invoice NeededPDF.exe

pid	process
436	Invoice NeededPDF.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Invoice NeededPDF.exeInvoice NeededPDF.exepowershell.exeWxyjiizwdkrdwemkrfkmfjet 1.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

description	pid	process
Token: SeDebugPrivilege	528	Invoice NeededPDF.exe
Token: SeDebugPrivilege	436	Invoice NeededPDF.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe
Token: SeDebugPrivilege	1112	Wxyjiizwdkrdwemkrfkmfjet 1.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

Invoice NeededPDF.exeWScript.exeWScript.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

description	pid	process	target process
PID 528 wrote to memory of 1852	528	Invoice NeededPDF.exe	WScript.exe
PID 528 wrote to memory of 1852	528	Invoice NeededPDF.exe	WScript.exe
PID 528 wrote to memory of 1852	528	Invoice NeededPDF.exe	WScript.exe
PID 528 wrote to memory of 1852	528	Invoice NeededPDF.exe	WScript.exe
PID 528 wrote to memory of 768	528	Invoice NeededPDF.exe	WScript.exe
PID 528 wrote to memory of 768	528	Invoice NeededPDF.exe	WScript.exe
PID 528 wrote to memory of 768	528	Invoice NeededPDF.exe	WScript.exe
PID 528 wrote to memory of 768	528	Invoice NeededPDF.exe	WScript.exe
PID 528 wrote to memory of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 528 wrote to memory of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 528 wrote to memory of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 528 wrote to memory of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 528 wrote to memory of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 528 wrote to memory of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 528 wrote to memory of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 528 wrote to memory of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 528 wrote to memory of 436	528	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 768 wrote to memory of 1984	768	WScript.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 768 wrote to memory of 1984	768	WScript.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 768 wrote to memory of 1984	768	WScript.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 768 wrote to memory of 1984	768	WScript.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 1852 wrote to memory of 1832	1852	WScript.exe	powershell.exe
PID 1852 wrote to memory of 1832	1852	WScript.exe	powershell.exe
PID 1852 wrote to memory of 1832	1852	WScript.exe	powershell.exe
PID 1852 wrote to memory of 1832	1852	WScript.exe	powershell.exe
PID 1984 wrote to memory of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 1984 wrote to memory of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 1984 wrote to memory of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 1984 wrote to memory of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 1984 wrote to memory of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 1984 wrote to memory of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 1984 wrote to memory of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 1984 wrote to memory of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 1984 wrote to memory of 1112	1984	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe

C:\Users\Admin\AppData\Local\Temp\Invoice NeededPDF.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice NeededPDF.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Novhflphhvqnbvv.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ChromesOffice\Officechrome.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Novhflphhvqnbvv.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
"C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
"C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\Invoice NeededPDF.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice NeededPDF.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Novhflphhvqnbvv.vbs
MD5
c15eedf22134f5b6f0cad431a12a1282

SHA1
d72885f0f04d2d3bd88e91d958a959c0f304f5ef

SHA256
679b60e67c4e5d6d3817259f795770569982134faf32327ad0e22bc8aa9d1686

SHA512
2e4948c4d93b00cf2605d0c2d3946017b2bec64d72c0f685e94e5f9400c139bf0f1650618059e50c7baaef0ad4f1ac00914edb6b07769cf3889af8e33bc136fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
MD5
1f8a28e9eea19313c1d5453a4b292788

SHA1
51e8b4e4f328bd95d05a783bc953d720d10ea3d1

SHA256
f465787fcece594aab905f5b32772c2125fbaebc2dd0c27ab1117e2056648e0f

SHA512
a455fcd1a516cde545bbd0e23651188c955f92673ccdb1106ea8c862f454af089746e7fc7712808ada591a2f575400b753caca018c82b956b20cef17850483a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
MD5
1f8a28e9eea19313c1d5453a4b292788

SHA1
51e8b4e4f328bd95d05a783bc953d720d10ea3d1

SHA256
f465787fcece594aab905f5b32772c2125fbaebc2dd0c27ab1117e2056648e0f

SHA512
a455fcd1a516cde545bbd0e23651188c955f92673ccdb1106ea8c862f454af089746e7fc7712808ada591a2f575400b753caca018c82b956b20cef17850483a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
MD5
1f8a28e9eea19313c1d5453a4b292788

SHA1
51e8b4e4f328bd95d05a783bc953d720d10ea3d1

SHA256
f465787fcece594aab905f5b32772c2125fbaebc2dd0c27ab1117e2056648e0f

SHA512
a455fcd1a516cde545bbd0e23651188c955f92673ccdb1106ea8c862f454af089746e7fc7712808ada591a2f575400b753caca018c82b956b20cef17850483a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Novhflphhvqnbvv.vbs
MD5
28fee73529e257b17f310cb2e1fa7076

SHA1
983a7ef04b31b721cd2a7f99233d3c0cafd75c1b

SHA256
3bacaf52f5d3cc7e501036ad54c250adebe5c28e6511c55aa4931a8de86da8c1

SHA512
e8859192760637ec03de3ccd0ffd62823a2fd9c68c9cce1ce5cb6ddb74bc19d5b1531832a6cfbbdd1d6281a538b7522f37c1e89efb8badac121c71842f16eab8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ChromesOffice\Officechrome.exe
MD5
dc147a3a23a53f94c923bc99405664f3

SHA1
67ed419e937389b925254b077b4fac772b3a6942

SHA256
d7a00c340a92a15dc18f18dc19409c4af1c44564c35b87895b6340d00dbde64d

SHA512
24c3e602df8d062f5850e29c25f69ff7294d9890ccc360d87f96a62c10fc67a9dfcebc4b99cb656b1f607c909bda5d75e22befbbd06d5666f660f106a4f87639

Download Submit
\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
MD5
1f8a28e9eea19313c1d5453a4b292788

SHA1
51e8b4e4f328bd95d05a783bc953d720d10ea3d1

SHA256
f465787fcece594aab905f5b32772c2125fbaebc2dd0c27ab1117e2056648e0f

SHA512
a455fcd1a516cde545bbd0e23651188c955f92673ccdb1106ea8c862f454af089746e7fc7712808ada591a2f575400b753caca018c82b956b20cef17850483a0

Download Submit
\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
MD5
1f8a28e9eea19313c1d5453a4b292788

SHA1
51e8b4e4f328bd95d05a783bc953d720d10ea3d1

SHA256
f465787fcece594aab905f5b32772c2125fbaebc2dd0c27ab1117e2056648e0f

SHA512
a455fcd1a516cde545bbd0e23651188c955f92673ccdb1106ea8c862f454af089746e7fc7712808ada591a2f575400b753caca018c82b956b20cef17850483a0

Download Submit
memory/436-107-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/436-99-0x0000000000C60000-0x0000000000C75000-memory.dmp

Filesize
84KB

Download
memory/436-109-0x0000000001030000-0x000000000103F000-memory.dmp

Filesize
60KB

Download
memory/436-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/436-77-0x000000000041E792-mapping.dmp

Download
memory/436-106-0x0000000000EC0000-0x0000000000ECF000-memory.dmp

Filesize
60KB

Download
memory/436-108-0x0000000001080000-0x00000000010A9000-memory.dmp

Filesize
164KB

Download
memory/436-78-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/436-105-0x0000000000EB0000-0x0000000000EB9000-memory.dmp

Filesize
36KB

Download
memory/436-104-0x0000000000E60000-0x0000000000E6D000-memory.dmp

Filesize
52KB

Download
memory/436-102-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

Filesize
24KB

Download
memory/436-87-0x0000000000340000-0x0000000000345000-memory.dmp

Filesize
20KB

Download
memory/436-88-0x0000000000360000-0x0000000000379000-memory.dmp

Filesize
100KB

Download
memory/436-89-0x0000000000350000-0x0000000000353000-memory.dmp

Filesize
12KB

Download
memory/436-103-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

Filesize
28KB

Download
memory/436-101-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/436-92-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/436-100-0x0000000000B00000-0x0000000000B06000-memory.dmp

Filesize
24KB

Download
memory/436-98-0x00000000005B0000-0x00000000005BD000-memory.dmp

Filesize
52KB

Download
memory/528-68-0x0000000000E15000-0x0000000000E26000-memory.dmp

Filesize
68KB

Download
memory/528-61-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/528-62-0x0000000005A30000-0x0000000005AF8000-memory.dmp

Filesize
800KB

Download
memory/528-67-0x0000000005E40000-0x0000000005F19000-memory.dmp

Filesize
868KB

Download
memory/528-59-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/768-71-0x0000000000000000-mapping.dmp

Download
memory/1112-157-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1112-153-0x0000000000437B0E-mapping.dmp

Download
memory/1832-91-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1832-94-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1832-85-0x0000000000000000-mapping.dmp

Download
memory/1832-96-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1832-90-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-97-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1832-95-0x0000000004942000-0x0000000004943000-memory.dmp

Filesize
4KB

Download
memory/1832-112-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1832-117-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/1832-118-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/1832-125-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1832-126-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1832-127-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1852-69-0x0000000000000000-mapping.dmp

Download
memory/1852-72-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1984-93-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1984-149-0x0000000004D55000-0x0000000004D66000-memory.dmp

Filesize
68KB

Download
memory/1984-83-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/1984-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads