agenttesla | edb5f7136ced51208b8c6503f67f9b9153c4ac47a4876b32d82e69208de51509

General

Target

Invoice NeededPDF.exe
Size

1.1MB
MD5

9cf504947d9ba331fb5d7dab266ded76
SHA1

fbbdd9841da2b426c61db1772da07e9642a75f10
SHA256

edb5f7136ced51208b8c6503f67f9b9153c4ac47a4876b32d82e69208de51509
SHA512

d9f1d86a36d3ed9b6131036c3fac03ec3dc5dd0fb9c5bb255ba04adaf98297092071f83390d42a6e7b3c7ac81ee8f570f1aa4fbaf998829db57d29ed16abb7f9

Score

10^/10

agenttesla nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

sys2021.linkpc.net:11940

23.94.82.41:11940

Mutex

de7e01ad-963b-4e14-81aa-08dfb351f0fe

Attributes

activate_away_mode
false
backup_connection_host
23.94.82.41
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-04-24T08:14:59.254967636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
11940
default_group
Do
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
de7e01ad-963b-4e14-81aa-08dfb351f0fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sys2021.linkpc.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Invoice NeededPDF.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\ChromesOffice\\Officechrome.exe\","	Invoice NeededPDF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\ChromesOffice\\Officechrome.exe\","	Wxyjiizwdkrdwemkrfkmfjet 1.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1076-424-0x0000000000437B0E-mapping.dmp	family_agenttesla
behavioral2/memory/1076-431-0x0000000004CA0000-0x000000000519E000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

Wxyjiizwdkrdwemkrfkmfjet 1.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

pid process

2140 Wxyjiizwdkrdwemkrfkmfjet 1.exe
1076 Wxyjiizwdkrdwemkrfkmfjet 1.exe

pid	process
2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe
1076	Wxyjiizwdkrdwemkrfkmfjet 1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Invoice NeededPDF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe"	Invoice NeededPDF.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Invoice NeededPDF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Invoice NeededPDF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Invoice NeededPDF.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Invoice NeededPDF.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

description	pid	process	target process
PID 3972 set thread context of 3136	3972	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 2140 set thread context of 1076	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe

Drops file in Program Files directory 2 IoCs

Processes:

Invoice NeededPDF.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Manager\issmgr.exe	Invoice NeededPDF.exe
File opened for modification	C:\Program Files (x86)\ISS Manager\issmgr.exe	Invoice NeededPDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

Invoice NeededPDF.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Invoice NeededPDF.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Invoice NeededPDF.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Invoice NeededPDF.exeInvoice NeededPDF.exepowershell.exeWxyjiizwdkrdwemkrfkmfjet 1.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

pid	process
3972	Invoice NeededPDF.exe
3972	Invoice NeededPDF.exe
3136	Invoice NeededPDF.exe
3136	Invoice NeededPDF.exe
3136	Invoice NeededPDF.exe
3968	powershell.exe
3968	powershell.exe
3136	Invoice NeededPDF.exe
3136	Invoice NeededPDF.exe
3136	Invoice NeededPDF.exe
3968	powershell.exe
2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe
2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe
1076	Wxyjiizwdkrdwemkrfkmfjet 1.exe
1076	Wxyjiizwdkrdwemkrfkmfjet 1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Invoice NeededPDF.exe

pid process

3136 Invoice NeededPDF.exe

pid	process
3136	Invoice NeededPDF.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Invoice NeededPDF.exeInvoice NeededPDF.exepowershell.exeWxyjiizwdkrdwemkrfkmfjet 1.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

description	pid	process
Token: SeDebugPrivilege	3972	Invoice NeededPDF.exe
Token: SeDebugPrivilege	3136	Invoice NeededPDF.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe
Token: SeDebugPrivilege	1076	Wxyjiizwdkrdwemkrfkmfjet 1.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Invoice NeededPDF.exeWScript.exeWScript.exeWxyjiizwdkrdwemkrfkmfjet 1.exe

description	pid	process	target process
PID 3972 wrote to memory of 1524	3972	Invoice NeededPDF.exe	WScript.exe
PID 3972 wrote to memory of 1524	3972	Invoice NeededPDF.exe	WScript.exe
PID 3972 wrote to memory of 1524	3972	Invoice NeededPDF.exe	WScript.exe
PID 3972 wrote to memory of 4004	3972	Invoice NeededPDF.exe	WScript.exe
PID 3972 wrote to memory of 4004	3972	Invoice NeededPDF.exe	WScript.exe
PID 3972 wrote to memory of 4004	3972	Invoice NeededPDF.exe	WScript.exe
PID 3972 wrote to memory of 3136	3972	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 3972 wrote to memory of 3136	3972	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 3972 wrote to memory of 3136	3972	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 3972 wrote to memory of 3136	3972	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 3972 wrote to memory of 3136	3972	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 3972 wrote to memory of 3136	3972	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 3972 wrote to memory of 3136	3972	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 3972 wrote to memory of 3136	3972	Invoice NeededPDF.exe	Invoice NeededPDF.exe
PID 1524 wrote to memory of 3968	1524	WScript.exe	powershell.exe
PID 1524 wrote to memory of 3968	1524	WScript.exe	powershell.exe
PID 1524 wrote to memory of 3968	1524	WScript.exe	powershell.exe
PID 4004 wrote to memory of 2140	4004	WScript.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 4004 wrote to memory of 2140	4004	WScript.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 4004 wrote to memory of 2140	4004	WScript.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 2140 wrote to memory of 1076	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 2140 wrote to memory of 1076	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 2140 wrote to memory of 1076	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 2140 wrote to memory of 1076	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 2140 wrote to memory of 1076	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 2140 wrote to memory of 1076	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 2140 wrote to memory of 1076	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe
PID 2140 wrote to memory of 1076	2140	Wxyjiizwdkrdwemkrfkmfjet 1.exe	Wxyjiizwdkrdwemkrfkmfjet 1.exe

C:\Users\Admin\AppData\Local\Temp\Invoice NeededPDF.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice NeededPDF.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Novhflphhvqnbvv.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ChromesOffice\Officechrome.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Novhflphhvqnbvv.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
"C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
"C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\AppData\Local\Temp\Invoice NeededPDF.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice NeededPDF.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wxyjiizwdkrdwemkrfkmfjet 1.exe.log
MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Novhflphhvqnbvv.vbs
MD5
c15eedf22134f5b6f0cad431a12a1282

SHA1
d72885f0f04d2d3bd88e91d958a959c0f304f5ef

SHA256
679b60e67c4e5d6d3817259f795770569982134faf32327ad0e22bc8aa9d1686

SHA512
2e4948c4d93b00cf2605d0c2d3946017b2bec64d72c0f685e94e5f9400c139bf0f1650618059e50c7baaef0ad4f1ac00914edb6b07769cf3889af8e33bc136fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
MD5
1f8a28e9eea19313c1d5453a4b292788

SHA1
51e8b4e4f328bd95d05a783bc953d720d10ea3d1

SHA256
f465787fcece594aab905f5b32772c2125fbaebc2dd0c27ab1117e2056648e0f

SHA512
a455fcd1a516cde545bbd0e23651188c955f92673ccdb1106ea8c862f454af089746e7fc7712808ada591a2f575400b753caca018c82b956b20cef17850483a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
MD5
1f8a28e9eea19313c1d5453a4b292788

SHA1
51e8b4e4f328bd95d05a783bc953d720d10ea3d1

SHA256
f465787fcece594aab905f5b32772c2125fbaebc2dd0c27ab1117e2056648e0f

SHA512
a455fcd1a516cde545bbd0e23651188c955f92673ccdb1106ea8c862f454af089746e7fc7712808ada591a2f575400b753caca018c82b956b20cef17850483a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wxyjiizwdkrdwemkrfkmfjet 1.exe
MD5
1f8a28e9eea19313c1d5453a4b292788

SHA1
51e8b4e4f328bd95d05a783bc953d720d10ea3d1

SHA256
f465787fcece594aab905f5b32772c2125fbaebc2dd0c27ab1117e2056648e0f

SHA512
a455fcd1a516cde545bbd0e23651188c955f92673ccdb1106ea8c862f454af089746e7fc7712808ada591a2f575400b753caca018c82b956b20cef17850483a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Novhflphhvqnbvv.vbs
MD5
28fee73529e257b17f310cb2e1fa7076

SHA1
983a7ef04b31b721cd2a7f99233d3c0cafd75c1b

SHA256
3bacaf52f5d3cc7e501036ad54c250adebe5c28e6511c55aa4931a8de86da8c1

SHA512
e8859192760637ec03de3ccd0ffd62823a2fd9c68c9cce1ce5cb6ddb74bc19d5b1531832a6cfbbdd1d6281a538b7522f37c1e89efb8badac121c71842f16eab8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ChromesOffice\Officechrome.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1076-424-0x0000000000437B0E-mapping.dmp

Download
memory/1076-431-0x0000000004CA0000-0x000000000519E000-memory.dmp

Filesize
5.0MB

Download
memory/1524-127-0x0000000000000000-mapping.dmp

Download
memory/2140-421-0x0000000005050000-0x000000000554E000-memory.dmp

Filesize
5.0MB

Download
memory/2140-415-0x0000000006EE0000-0x0000000006F36000-memory.dmp

Filesize
344KB

Download
memory/2140-137-0x0000000000000000-mapping.dmp

Download
memory/2140-160-0x0000000005050000-0x000000000554E000-memory.dmp

Filesize
5.0MB

Download
memory/2140-141-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3136-175-0x00000000064F0000-0x00000000064FA000-memory.dmp

Filesize
40KB

Download
memory/3136-165-0x0000000005460000-0x000000000546D000-memory.dmp

Filesize
52KB

Download
memory/3136-132-0x000000000041E792-mapping.dmp

Download
memory/3136-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3136-143-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3136-146-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/3136-174-0x00000000064D0000-0x00000000064DF000-memory.dmp

Filesize
60KB

Download
memory/3136-177-0x0000000006540000-0x000000000654F000-memory.dmp

Filesize
60KB

Download
memory/3136-153-0x0000000005200000-0x0000000005205000-memory.dmp

Filesize
20KB

Download
memory/3136-154-0x0000000005440000-0x0000000005459000-memory.dmp

Filesize
100KB

Download
memory/3136-155-0x0000000005220000-0x0000000005223000-memory.dmp

Filesize
12KB

Download
memory/3136-176-0x0000000006500000-0x0000000006529000-memory.dmp

Filesize
164KB

Download
memory/3136-167-0x0000000006470000-0x0000000006476000-memory.dmp

Filesize
24KB

Download
memory/3136-173-0x00000000064C0000-0x00000000064C9000-memory.dmp

Filesize
36KB

Download
memory/3136-169-0x0000000006490000-0x0000000006496000-memory.dmp

Filesize
24KB

Download
memory/3136-171-0x00000000064B0000-0x00000000064BD000-memory.dmp

Filesize
52KB

Download
memory/3136-170-0x00000000064A0000-0x00000000064A7000-memory.dmp

Filesize
28KB

Download
memory/3136-168-0x0000000006480000-0x000000000648C000-memory.dmp

Filesize
48KB

Download
memory/3136-166-0x0000000006430000-0x0000000006445000-memory.dmp

Filesize
84KB

Download
memory/3968-157-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/3968-193-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/3968-163-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/3968-162-0x0000000006782000-0x0000000006783000-memory.dmp

Filesize
4KB

Download
memory/3968-161-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/3968-400-0x0000000008F30000-0x0000000008F31000-memory.dmp

Filesize
4KB

Download
memory/3968-172-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/3968-159-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/3968-158-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/3968-134-0x0000000000000000-mapping.dmp

Download
memory/3968-156-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/3968-394-0x0000000008F40000-0x0000000008F41000-memory.dmp

Filesize
4KB

Download
memory/3968-152-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/3968-150-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/3968-186-0x0000000008A80000-0x0000000008AB3000-memory.dmp

Filesize
204KB

Download
memory/3968-164-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/3968-198-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

Filesize
4KB

Download
memory/3968-199-0x0000000008F90000-0x0000000008F91000-memory.dmp

Filesize
4KB

Download
memory/3968-268-0x000000007EC90000-0x000000007EC91000-memory.dmp

Filesize
4KB

Download
memory/3968-269-0x0000000006783000-0x0000000006784000-memory.dmp

Filesize
4KB

Download
memory/3972-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3972-126-0x0000000007C50000-0x0000000007D29000-memory.dmp

Filesize
868KB

Download
memory/3972-123-0x00000000051F0000-0x00000000056EE000-memory.dmp

Filesize
5.0MB

Download
memory/3972-120-0x0000000007670000-0x0000000007738000-memory.dmp

Filesize
800KB

Download
memory/3972-119-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3972-118-0x00000000051F0000-0x00000000056EE000-memory.dmp

Filesize
5.0MB

Download
memory/3972-117-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3972-116-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/4004-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads