agenttesla | 0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51

General

Target

0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe
Size

760KB
MD5

f87f3da7e4319dc7c9aa712ad633040e
SHA1

a2a0029312e054f01a045b5af463b118779c8951
SHA256

0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51
SHA512

ecf179b368273c02ed5033cbd1fc122f95f235f27bf40c6d8dbfd606ad2439a13269de40e468da462c99b7b8141c990b4b3598fec365baee2ca2847319437918
SSDEEP

12288:HjfLII7ciGmjKPVKu3wKD2NrfcKDd6LgQ58a8okHZcIh6odO7arRiDOUij:DL+l6KPV/w1rflDd6Ld5tiHroodwERi6

Score

10^/10

agenttesla asyncrat remcos default host discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.globalifb.com
Port:
587
Username:
[email protected]
Password:
$;oGh3?)CQiY
Email To:
[email protected]

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

104.129.27.19:6606

104.129.27.19:7707

104.129.27.19:8808

Mutex

ppUf6LQ00ujy

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

104.129.27.19:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%WinDir%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_lojuxaaqmwpnhvc
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2112 powershell.exe
2984 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

dllhostservices.execrss.exesvchostservice.exeHWMonitor.exe

pid process

840 dllhostservices.exe
336 crss.exe
2128 svchostservice.exe
1132 HWMonitor.exe
Loads dropped DLL 5 IoCs

Processes:

MSBuild.execrss.exe

pid process

2880 MSBuild.exe
2880 MSBuild.exe
2880 MSBuild.exe
2880 MSBuild.exe
336 crss.exe

pid	process
2112	powershell.exe
2984	powershell.exe

pid	process
840	dllhostservices.exe
336	crss.exe
2128	svchostservice.exe
1132	HWMonitor.exe

pid	process
2880	MSBuild.exe
2880	MSBuild.exe
2880	MSBuild.exe
2880	MSBuild.exe
336	crss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Windows\\system32\\HWMonitor\\HWMonitor.exe"	powershell.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org

flow	ioc
4	api.ipify.org
5	api.ipify.org

Drops file in System32 directory 2 IoCs

Processes:

crss.exeHWMonitor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe	crss.exe
File created	C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe	HWMonitor.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe

description	pid	process	target process
PID 2520 set thread context of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dllhostservices.exepowershell.exepowershell.exeschtasks.execrss.exeHWMonitor.exe0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exeMSBuild.exesvchostservice.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhostservices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HWMonitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostservice.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2732 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

crss.exeHWMonitor.exe

pid process

336 crss.exe
1132 HWMonitor.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MSBuild.exepowershell.exepowershell.exe

pid process

2880 MSBuild.exe
2880 MSBuild.exe
2112 powershell.exe
2984 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MSBuild.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2880 MSBuild.exe
Token: SeDebugPrivilege 2112 powershell.exe
Token: SeDebugPrivilege 2984 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dllhostservices.exeMSBuild.exe

pid process

840 dllhostservices.exe
2880 MSBuild.exe

pid	process
2732	schtasks.exe

pid	process
336	crss.exe
1132	HWMonitor.exe

pid	process
2880	MSBuild.exe
2880	MSBuild.exe
2112	powershell.exe
2984	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2880	MSBuild.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe

pid	process
840	dllhostservices.exe
2880	MSBuild.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exeMSBuild.execrss.exe

description	pid	process	target process
PID 2520 wrote to memory of 2112	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	powershell.exe
PID 2520 wrote to memory of 2112	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	powershell.exe
PID 2520 wrote to memory of 2112	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	powershell.exe
PID 2520 wrote to memory of 2112	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	powershell.exe
PID 2520 wrote to memory of 2732	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	schtasks.exe
PID 2520 wrote to memory of 2732	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	schtasks.exe
PID 2520 wrote to memory of 2732	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	schtasks.exe
PID 2520 wrote to memory of 2732	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	schtasks.exe
PID 2520 wrote to memory of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe
PID 2520 wrote to memory of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe
PID 2520 wrote to memory of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe
PID 2520 wrote to memory of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe
PID 2520 wrote to memory of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe
PID 2520 wrote to memory of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe
PID 2520 wrote to memory of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe
PID 2520 wrote to memory of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe
PID 2520 wrote to memory of 2880	2520	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	MSBuild.exe
PID 2880 wrote to memory of 840	2880	MSBuild.exe	dllhostservices.exe
PID 2880 wrote to memory of 840	2880	MSBuild.exe	dllhostservices.exe
PID 2880 wrote to memory of 840	2880	MSBuild.exe	dllhostservices.exe
PID 2880 wrote to memory of 840	2880	MSBuild.exe	dllhostservices.exe
PID 2880 wrote to memory of 336	2880	MSBuild.exe	crss.exe
PID 2880 wrote to memory of 336	2880	MSBuild.exe	crss.exe
PID 2880 wrote to memory of 336	2880	MSBuild.exe	crss.exe
PID 2880 wrote to memory of 336	2880	MSBuild.exe	crss.exe
PID 2880 wrote to memory of 2128	2880	MSBuild.exe	svchostservice.exe
PID 2880 wrote to memory of 2128	2880	MSBuild.exe	svchostservice.exe
PID 2880 wrote to memory of 2128	2880	MSBuild.exe	svchostservice.exe
PID 2880 wrote to memory of 2128	2880	MSBuild.exe	svchostservice.exe
PID 336 wrote to memory of 2984	336	crss.exe	powershell.exe
PID 336 wrote to memory of 2984	336	crss.exe	powershell.exe
PID 336 wrote to memory of 2984	336	crss.exe	powershell.exe
PID 336 wrote to memory of 2984	336	crss.exe	powershell.exe
PID 336 wrote to memory of 1132	336	crss.exe	HWMonitor.exe
PID 336 wrote to memory of 1132	336	crss.exe	HWMonitor.exe
PID 336 wrote to memory of 1132	336	crss.exe	HWMonitor.exe
PID 336 wrote to memory of 1132	336	crss.exe	HWMonitor.exe

C:\Users\Admin\AppData\Local\Temp\0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe
"C:\Users\Admin\AppData\Local\Temp\0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PZWVpHoNkCgPF.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZWVpHoNkCgPF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2D7.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:840

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Windows\system32\HWMonitor\HWMonitor.exe"' -PropertyType 'String'
4⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe
"C:\Windows\system32\HWMonitor\HWMonitor.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:1132

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF2D7.tmp

Filesize
1KB

MD5
db7c6bed0bc9a1eb495cc10010a48668

SHA1
04f31baee9eda0cc116f50b3de67455601b3d9d2

SHA256
729e3c0ba17f68070a4ff6d8ab8d2e0a2fc9719f7f8cdd24a4baad400a68d1b9

SHA512
355e126655b778b83c8b97f25114ce8cc031e2b62597398cb4ff38926c5ce8fdd76fc2230aeb51c3d82eeae236099f7c0c8cf33ed4de2417d180c2e164c05ba0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UAR8E031AC7IIPQG7YFB.temp

Filesize
7KB

MD5
c9b90192b6bf6b34335ce28c6d3c32bc

SHA1
919545f18021bd6572686ab343fd4f576c685958

SHA256
5395ddd459f0a6dccf2fa53052749faf53323b538026142b33514c295f0dda60

SHA512
5b42bf0061284cb0c2c4706ae25390d6b1be1d9b6c8e7c005a816f73caa44b8b362e9e66f62dddcb17b523630233751743e80a35d4339301dc636c153807449b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe

Filesize
36KB

MD5
64836f3e257a5b415711abc3b6ea6323

SHA1
f52f8588801554eaf4e495784b84f830c4afeaf4

SHA256
3f02a631dce0c4a4acd39ca731eae0ebda74ea65bfe90573d2ab226bab1dc234

SHA512
f3418f421ff0d0bfefd37e5ad75f9d2ffe40953333b90a01ab015942f36333fc4c0e03e468e725e6d8bb5573d9c058aeb889336fee77099db2ddfdfd1a7822f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe

Filesize
45KB

MD5
962b8a0da7f38404ae75698d445d2f82

SHA1
afefd1bc3f70d9a03621a22715ea1001a8d4427b

SHA256
940d979a6e48061d85288ff57e6865087d7c0362774bd7d2caebfdc7b02914eb

SHA512
e1092a2f4c3877eca9d6f67b4da78fecae66bc5fd49d190f796358c245b005a3c6fbd49496bfb4b1ea688c6719c0ca4f963f49b192c97dcb518d5cd4c42bbc68

Download Submit
C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe

Filesize
42.3MB

MD5
27e167b55e04c15aa98069ab832a9668

SHA1
f80908d1da4f14b5d80a3bc8a4942710d4c442c0

SHA256
ed635627515baf5dd9b308c6cd905a87aeb83779ba70a6d6571aefce7324d2b2

SHA512
cadea9c50b6779190e2285f6876709aa220332b974141abbffba4f97b339505cacf2f5f10b56c4ee7332746e66a1412d680a65e904e4e71c963c4b5de060fe83

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe

Filesize
10KB

MD5
caf9747a01a99245a0b3df133dd85191

SHA1
c8429f9d5d1d9768e22019fcac5f0d4b59c006a6

SHA256
6d0d83d060bc279825425757101698e702f3e71c53639270c63b24216fcbcd3f

SHA512
efde236d9924598aa1b3b54b1711b9bbea194bd4a392781aa3c71dca55a0e0188bc8452468497538ee7444ee8803ab4c5865f821fd7aba60b811ed72ebd57ce7

Download Submit
memory/336-55-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/840-43-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/840-63-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/840-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/840-85-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/840-82-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/840-80-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1132-72-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/2128-57-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2520-6-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/2520-29-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/2520-8-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/2520-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

Filesize
4KB

Download
memory/2520-7-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/2520-5-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/2520-4-0x00000000740BE000-0x00000000740BF000-memory.dmp

Filesize
4KB

Download
memory/2520-3-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/2520-2-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/2520-1-0x0000000000820000-0x00000000008E2000-memory.dmp

Filesize
776KB

Download
memory/2880-16-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2880-41-0x00000000040E0000-0x00000000040F9000-memory.dmp

Filesize
100KB

Download
memory/2880-58-0x00000000040E0000-0x00000000040F9000-memory.dmp

Filesize
100KB

Download
memory/2880-59-0x00000000040E0000-0x00000000040F9000-memory.dmp

Filesize
100KB

Download
memory/2880-42-0x00000000040E0000-0x00000000040F9000-memory.dmp

Filesize
100KB

Download
memory/2880-18-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2880-20-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2880-22-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2880-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-25-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2880-28-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2880-26-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads