lumma | 03e9725ebc272cc3c9e07d5d1a50278b35fa72dc209239d076e9376310e71149

Analysis

max time kernel
2s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 23:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

06b2a063d4f7ed1fbdf89ac4da07890a.exe
Size

242KB
MD5

06b2a063d4f7ed1fbdf89ac4da07890a
SHA1

cfbec43e3d4ff6075a9f8593cf83467aa4b2ea40
SHA256

03e9725ebc272cc3c9e07d5d1a50278b35fa72dc209239d076e9376310e71149
SHA512

35f5fdbefc61b4aedeffc159f769add5f1406fb10c48ebfa47da3d8549280ced0373aac150ba16f6f3f6ebe60acf0cea3438c581cae139089c3fbfe3aa95d6ec
SSDEEP

6144:3663lQ0l+9TIddHOCOVrX7tfQN5/inEaMadDKNa1aIc8eH:Xl+1HCOVHtfQunka1KNaTc8eH

Score

10^/10

lumma bootkit evasion persistence stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 36 IoCs

resource	yara_rule
behavioral1/memory/3028-296-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1952-306-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1960-434-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2228-445-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/564-573-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1884-595-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1804-713-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2032-955-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/860-1078-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1056-1208-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2600-1338-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/952-1350-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2796-1584-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1340-1865-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1652-2157-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2312-2280-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/676-2579-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/3020-2710-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1992-2973-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/328-3098-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2128-3105-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2148-3340-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1488-3589-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1624-3719-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1984-3722-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1768-3849-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2040-3964-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2360-4089-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1628-4243-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1816-4522-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2468-4768-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/3012-5044-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2576-5347-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1544-5468-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/1920-5589-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4
behavioral1/memory/2376-5710-0x0000000000400000-0x0000000000498000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe

Executes dropped EXE 4 IoCs

pid	Process
1952	tqlfc.com
1960	vadvu.com
2228	vtenw.com
564	uabxw.com

Loads dropped DLL 8 IoCs

pid	Process
3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe
3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe
1952	tqlfc.com
1952	tqlfc.com
1960	vadvu.com
1960	vadvu.com
2228	vtenw.com
2228	vtenw.com

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	uabxw.com
File opened for modification	\??\PhysicalDrive0	06b2a063d4f7ed1fbdf89ac4da07890a.exe
File opened for modification	\??\PhysicalDrive0	tqlfc.com
File opened for modification	\??\PhysicalDrive0	vadvu.com
File opened for modification	\??\PhysicalDrive0	vtenw.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	uabxw.com
File created	C:\Windows\SysWOW64\tqlfc.com	06b2a063d4f7ed1fbdf89ac4da07890a.exe
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	tqlfc.com
File opened for modification	C:\Windows\SysWOW64\vadvu.com	tqlfc.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	vadvu.com
File opened for modification	C:\Windows\SysWOW64\vtenw.com	vadvu.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	vtenw.com
File created	C:\Windows\SysWOW64\uabxw.com	vtenw.com
File opened for modification	C:\Windows\SysWOW64\tqlfc.com	06b2a063d4f7ed1fbdf89ac4da07890a.exe
File created	C:\Windows\SysWOW64\vadvu.com	tqlfc.com
File created	C:\Windows\SysWOW64\vtenw.com	vadvu.com
File opened for modification	C:\Windows\SysWOW64\uabxw.com	vtenw.com

Runs .reg file with regedit 44 IoCs

pid	Process
524	regedit.exe
2340	regedit.exe
2728	regedit.exe
2636	regedit.exe
852	regedit.exe
2220	regedit.exe
3056	regedit.exe
1920	regedit.exe
2184	regedit.exe
2348	regedit.exe
2604	regedit.exe
308	regedit.exe
3060	regedit.exe
960	regedit.exe
2864	regedit.exe
2928	regedit.exe
2772	regedit.exe
2728	regedit.exe
1836	regedit.exe
2388	regedit.exe
2868	regedit.exe
1592	regedit.exe
1360	regedit.exe
1164	regedit.exe
2332	regedit.exe
2328	regedit.exe
2976	regedit.exe
2988	regedit.exe
2276	regedit.exe
752	regedit.exe
2400	regedit.exe
1816	regedit.exe
2656	regedit.exe
2444	regedit.exe
1972	regedit.exe
2792	regedit.exe
1612	regedit.exe
2344	regedit.exe
2976	regedit.exe
2928	regedit.exe
2124	regedit.exe
292	regedit.exe
2188	regedit.exe
2516	regedit.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2824	3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe	28
PID 3028 wrote to memory of 2824	3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe	28
PID 3028 wrote to memory of 2824	3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe	28
PID 3028 wrote to memory of 2824	3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe	28
PID 2824 wrote to memory of 1836	2824	cmd.exe	57
PID 2824 wrote to memory of 1836	2824	cmd.exe	57
PID 2824 wrote to memory of 1836	2824	cmd.exe	57
PID 2824 wrote to memory of 1836	2824	cmd.exe	57
PID 3028 wrote to memory of 1952	3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe	30
PID 3028 wrote to memory of 1952	3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe	30
PID 3028 wrote to memory of 1952	3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe	30
PID 3028 wrote to memory of 1952	3028	06b2a063d4f7ed1fbdf89ac4da07890a.exe	30
PID 1952 wrote to memory of 2900	1952	tqlfc.com	31
PID 1952 wrote to memory of 2900	1952	tqlfc.com	31
PID 1952 wrote to memory of 2900	1952	tqlfc.com	31
PID 1952 wrote to memory of 2900	1952	tqlfc.com	31
PID 1952 wrote to memory of 1960	1952	tqlfc.com	32
PID 1952 wrote to memory of 1960	1952	tqlfc.com	32
PID 1952 wrote to memory of 1960	1952	tqlfc.com	32
PID 1952 wrote to memory of 1960	1952	tqlfc.com	32
PID 1960 wrote to memory of 2228	1960	vadvu.com	33
PID 1960 wrote to memory of 2228	1960	vadvu.com	33
PID 1960 wrote to memory of 2228	1960	vadvu.com	33
PID 1960 wrote to memory of 2228	1960	vadvu.com	33
PID 2228 wrote to memory of 2236	2228	vtenw.com	34
PID 2228 wrote to memory of 2236	2228	vtenw.com	34
PID 2228 wrote to memory of 2236	2228	vtenw.com	34
PID 2228 wrote to memory of 2236	2228	vtenw.com	34
PID 2236 wrote to memory of 2388	2236	cmd.exe	35
PID 2236 wrote to memory of 2388	2236	cmd.exe	35
PID 2236 wrote to memory of 2388	2236	cmd.exe	35
PID 2236 wrote to memory of 2388	2236	cmd.exe	35
PID 2228 wrote to memory of 564	2228	vtenw.com	36
PID 2228 wrote to memory of 564	2228	vtenw.com	36
PID 2228 wrote to memory of 564	2228	vtenw.com	36
PID 2228 wrote to memory of 564	2228	vtenw.com	36
PID 564 wrote to memory of 1284	564	uabxw.com	38
PID 564 wrote to memory of 1284	564	uabxw.com	38
PID 564 wrote to memory of 1284	564	uabxw.com	38
PID 564 wrote to memory of 1284	564	uabxw.com	38

C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a.exe
"C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\acx.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Runs .reg file with regedit
    PID:1836
- C:\Windows\SysWOW64\tqlfc.com
  C:\Windows\system32\tqlfc.com 516 "C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\acx.bat
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\vadvu.com
    C:\Windows\system32\vadvu.com 512 "C:\Windows\SysWOW64\tqlfc.com"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\vtenw.com
      C:\Windows\system32\vtenw.com 472 "C:\Windows\SysWOW64\vadvu.com"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2388
    - - C:\Windows\SysWOW64\uabxw.com
        
        C:\Windows\system32\uabxw.com 528 "C:\Windows\SysWOW64\vtenw.com"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        6⤵
        
        PID:1284
      - C:\Windows\SysWOW64\mdpix.com
        
        C:\Windows\system32\mdpix.com 484 "C:\Windows\SysWOW64\uabxw.com"
        6⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        7⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\rijir.com
        
        C:\Windows\system32\rijir.com 488 "C:\Windows\SysWOW64\mdpix.com"
        7⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Runs .reg file with regedit
        
        PID:2728
        
        C:\Windows\SysWOW64\temsm.com
        
        C:\Windows\system32\temsm.com 492 "C:\Windows\SysWOW64\rijir.com"
        8⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        9⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Runs .reg file with regedit
        
        PID:2444
        
        C:\Windows\SysWOW64\tpyla.com
        
        C:\Windows\system32\tpyla.com 576 "C:\Windows\SysWOW64\temsm.com"
        9⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        10⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Runs .reg file with regedit
        
        PID:2348
        
        C:\Windows\SysWOW64\spvva.com
        
        C:\Windows\system32\spvva.com 540 "C:\Windows\SysWOW64\tpyla.com"
        10⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        11⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Runs .reg file with regedit
        
        PID:2636
        
        C:\Windows\SysWOW64\pmcvb.com
        
        C:\Windows\system32\pmcvb.com 536 "C:\Windows\SysWOW64\spvva.com"
        11⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        12⤵
        
        PID:580
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Runs .reg file with regedit
        
        PID:1972
        
        C:\Windows\SysWOW64\hmfta.com
        
        C:\Windows\system32\hmfta.com 548 "C:\Windows\SysWOW64\pmcvb.com"
        12⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        13⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        Runs .reg file with regedit
        
        PID:852
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        Runs .reg file with regedit
        
        PID:752
        
        C:\Windows\SysWOW64\tkggi.com
        
        C:\Windows\system32\tkggi.com 532 "C:\Windows\SysWOW64\hmfta.com"
        13⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        14⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        15⤵
        Runs .reg file with regedit
        
        PID:3060
        
        C:\Windows\SysWOW64\akuqw.com
        
        C:\Windows\system32\akuqw.com 496 "C:\Windows\SysWOW64\tkggi.com"
        14⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        15⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        Runs .reg file with regedit
        
        PID:2276
        
        C:\Windows\SysWOW64\hoedg.com
        
        C:\Windows\system32\hoedg.com 560 "C:\Windows\SysWOW64\akuqw.com"
        15⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        16⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        17⤵
        Runs .reg file with regedit
        
        PID:2792
        
        C:\Windows\SysWOW64\ehwjj.com
        
        C:\Windows\system32\ehwjj.com 564 "C:\Windows\SysWOW64\hoedg.com"
        16⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        17⤵
        
        PID:904
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        Runs .reg file with regedit
        
        PID:2928
        
        C:\Windows\SysWOW64\pamoo.com
        
        C:\Windows\system32\pamoo.com 616 "C:\Windows\SysWOW64\ehwjj.com"
        17⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        18⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        19⤵
        Runs .reg file with regedit
        
        PID:1612
        
        C:\Windows\SysWOW64\osngi.com
        
        C:\Windows\system32\osngi.com 568 "C:\Windows\SysWOW64\pamoo.com"
        18⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        19⤵
        Modifies security service
        
        PID:1836
        
        C:\Windows\SysWOW64\tfgob.com
        
        C:\Windows\system32\tfgob.com 612 "C:\Windows\SysWOW64\osngi.com"
        19⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        20⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        21⤵
        Runs .reg file with regedit
        
        PID:960
        
        C:\Windows\SysWOW64\yvlbx.com
        
        C:\Windows\system32\yvlbx.com 552 "C:\Windows\SysWOW64\tfgob.com"
        20⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        21⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        Runs .reg file with regedit
        
        PID:1164
        
        C:\Windows\SysWOW64\dliwu.com
        
        C:\Windows\system32\dliwu.com 504 "C:\Windows\SysWOW64\yvlbx.com"
        21⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        22⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        23⤵
        Runs .reg file with regedit
        
        PID:2868
        
        C:\Windows\SysWOW64\zqben.com
        
        C:\Windows\system32\zqben.com 584 "C:\Windows\SysWOW64\dliwu.com"
        22⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        23⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        Runs .reg file with regedit
        
        PID:2124
        
        C:\Windows\SysWOW64\cituf.com
        
        C:\Windows\system32\cituf.com 640 "C:\Windows\SysWOW64\zqben.com"
        23⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        24⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        25⤵
        Runs .reg file with regedit
        
        PID:292
        
        C:\Windows\SysWOW64\evwwa.com
        
        C:\Windows\system32\evwwa.com 600 "C:\Windows\SysWOW64\cituf.com"
        24⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        25⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        26⤵
        Runs .reg file with regedit
        
        PID:2400
        
        C:\Windows\SysWOW64\oolcf.com
        
        C:\Windows\system32\oolcf.com 588 "C:\Windows\SysWOW64\evwwa.com"
        25⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        26⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        27⤵
        Runs .reg file with regedit
        
        PID:2864
        
        C:\Windows\SysWOW64\tafjy.com
        
        C:\Windows\system32\tafjy.com 652 "C:\Windows\SysWOW64\oolcf.com"
        26⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        27⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        28⤵
        Runs .reg file with regedit
        
        PID:1816
        
        C:\Windows\SysWOW64\xnwcr.com
        
        C:\Windows\system32\xnwcr.com 656 "C:\Windows\SysWOW64\tafjy.com"
        27⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        28⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        29⤵
        Runs .reg file with regedit
        
        PID:2332
        
        C:\Windows\SysWOW64\xcthi.com
        
        C:\Windows\system32\xcthi.com 572 "C:\Windows\SysWOW64\xnwcr.com"
        28⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        29⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        30⤵
        Runs .reg file with regedit
        
        PID:2220
        
        C:\Windows\SysWOW64\xuurc.com
        
        C:\Windows\system32\xuurc.com 664 "C:\Windows\SysWOW64\xcthi.com"
        29⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        30⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        31⤵
        Runs .reg file with regedit
        
        PID:2928
        
        C:\Windows\SysWOW64\ecqsw.com
        
        C:\Windows\system32\ecqsw.com 500 "C:\Windows\SysWOW64\xuurc.com"
        30⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        31⤵
        
        PID:320
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        32⤵
        Runs .reg file with regedit
        
        PID:3056
        
        C:\Windows\SysWOW64\obuph.com
        
        C:\Windows\system32\obuph.com 592 "C:\Windows\SysWOW64\ecqsw.com"
        31⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        32⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\rllfz.com
        
        C:\Windows\system32\rllfz.com 508 "C:\Windows\SysWOW64\obuph.com"
        32⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        33⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        34⤵
        Runs .reg file with regedit
        
        PID:2188
        
        C:\Windows\SysWOW64\dnruk.com
        
        C:\Windows\system32\dnruk.com 604 "C:\Windows\SysWOW64\rllfz.com"
        33⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        34⤵
        
        PID:568
        
        C:\Windows\SysWOW64\lrbzc.com
        
        C:\Windows\system32\lrbzc.com 520 "C:\Windows\SysWOW64\dnruk.com"
        34⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        35⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        36⤵
        Runs .reg file with regedit
        
        PID:1920
        
        C:\Windows\SysWOW64\phguy.com
        
        C:\Windows\system32\phguy.com 632 "C:\Windows\SysWOW64\lrbzc.com"
        35⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        36⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        37⤵
        Runs .reg file with regedit
        
        PID:2772
        
        C:\Windows\SysWOW64\umacj.com
        
        C:\Windows\system32\umacj.com 620 "C:\Windows\SysWOW64\phguy.com"
        36⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        37⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cqkpa.com
        
        C:\Windows\system32\cqkpa.com 672 "C:\Windows\SysWOW64\umacj.com"
        37⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        38⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        39⤵
        Runs .reg file with regedit
        
        PID:2328
        
        C:\Windows\SysWOW64\hdvpu.com
        
        C:\Windows\system32\hdvpu.com 524 "C:\Windows\SysWOW64\cqkpa.com"
        38⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        39⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        40⤵
        Runs .reg file with regedit
        
        PID:2344
        
        C:\Windows\SysWOW64\pwcpa.com
        
        C:\Windows\system32\pwcpa.com 644 "C:\Windows\SysWOW64\hdvpu.com"
        39⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        40⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        41⤵
        Runs .reg file with regedit
        
        PID:2976
        
        C:\Windows\SysWOW64\mxmce.com
        
        C:\Windows\system32\mxmce.com 544 "C:\Windows\SysWOW64\pwcpa.com"
        40⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        41⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        42⤵
        Runs .reg file with regedit
        
        PID:524
        
        C:\Windows\SysWOW64\yvhfn.com
        
        C:\Windows\system32\yvhfn.com 636 "C:\Windows\SysWOW64\mxmce.com"
        41⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        42⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        43⤵
        Runs .reg file with regedit
        
        PID:2340
        
        C:\Windows\SysWOW64\bjkii.com
        
        C:\Windows\system32\bjkii.com 676 "C:\Windows\SysWOW64\yvhfn.com"
        42⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        43⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        44⤵
        Runs .reg file with regedit
        
        PID:2516
        
        C:\Windows\SysWOW64\iqgiu.com
        
        C:\Windows\system32\iqgiu.com 648 "C:\Windows\SysWOW64\bjkii.com"
        43⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        44⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        45⤵
        Runs .reg file with regedit
        
        PID:2976
        
        C:\Windows\SysWOW64\ifdft.com
        
        C:\Windows\system32\ifdft.com 556 "C:\Windows\SysWOW64\iqgiu.com"
        44⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        45⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        46⤵
        Runs .reg file with regedit
        
        PID:2656
        
        C:\Windows\SysWOW64\ctiau.com
        
        C:\Windows\system32\ctiau.com 700 "C:\Windows\SysWOW64\ifdft.com"
        45⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        46⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        47⤵
        Runs .reg file with regedit
        
        PID:2604
        
        C:\Windows\SysWOW64\jxsnl.com
        
        C:\Windows\system32\jxsnl.com 696 "C:\Windows\SysWOW64\ctiau.com"
        46⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        47⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        48⤵
        Runs .reg file with regedit
        
        PID:2728
        
        C:\Windows\SysWOW64\rfgff.com
        
        C:\Windows\system32\rfgff.com 684 "C:\Windows\SysWOW64\jxsnl.com"
        47⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        48⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        49⤵
        Runs .reg file with regedit
        
        PID:1360
        
        C:\Windows\SysWOW64\wclvl.com
        
        C:\Windows\system32\wclvl.com 580 "C:\Windows\SysWOW64\rfgff.com"
        48⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        49⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        50⤵
        Runs .reg file with regedit
        
        PID:308
        
        C:\Windows\SysWOW64\bpede.com
        
        C:\Windows\system32\bpede.com 680 "C:\Windows\SysWOW64\wclvl.com"
        49⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\acx.bat
        50⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        51⤵
        Runs .reg file with regedit
        
        PID:2184

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
- Runs .reg file with regedit
PID:2988

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
- Runs .reg file with regedit
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
384B

MD5
c93c561465db53bf9a99759de9d25f07

SHA1
5386934828e2c2589bfe394ac1f03ffbfba93bfa

SHA256
32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

SHA512
bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c2d6056624c1d37b1baf4445d8705378

SHA1
90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83

SHA256
3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96

SHA512
d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
d085cde42c14e8ee2a5e8870d08aee42

SHA1
c8e967f1d301f97dbcf252d7e1677e590126f994

SHA256
a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

SHA512
de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
cd085b8c40e69c2bf1eb3d59f8155b99

SHA1
3499260f24020fe6d54d9d632d34ba2770bb06e0

SHA256
10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c

SHA512
3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5bf31d7ea99b678c867ccdec344298aa

SHA1
2e548f54bf50d13993105c4f59bbeaeb87b17a68

SHA256
52be521b5509b444c0369ea7e69fc06b2d0b770cf600386c9a0178225ccdd281

SHA512
1bc82b65efe8c2be419748c8534210e7ad8cc8332ef87fb5df828eaebfdf630066ab3ad8d3ceeb82dee5ec4e680daff2748fcd4beaad8c71f1477b2ec7fe3564

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6bf876cd9994f0d41be4eca36d22c42a

SHA1
50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

SHA256
ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

SHA512
605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

Download Submit
C:\acx.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\tqlfc.com

Filesize
242KB

MD5
06b2a063d4f7ed1fbdf89ac4da07890a

SHA1
cfbec43e3d4ff6075a9f8593cf83467aa4b2ea40

SHA256
03e9725ebc272cc3c9e07d5d1a50278b35fa72dc209239d076e9376310e71149

SHA512
35f5fdbefc61b4aedeffc159f769add5f1406fb10c48ebfa47da3d8549280ced0373aac150ba16f6f3f6ebe60acf0cea3438c581cae139089c3fbfe3aa95d6ec

Download Submit
memory/328-3098-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/564-573-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/676-2579-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/860-1078-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/952-1350-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1056-1208-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1340-1865-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1488-3589-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1544-5468-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1624-3719-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1628-4243-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1652-2157-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1768-3849-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1804-713-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1816-4522-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1884-595-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1920-5589-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1952-306-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1960-434-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1984-3722-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1992-2973-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2032-955-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2040-3964-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2128-3105-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2148-3340-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2228-445-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2312-2280-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2360-4089-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2376-5710-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2468-4768-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2576-5347-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2600-1338-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2796-1584-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3012-5044-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3020-2710-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3028-33-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3028-43-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3028-178-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/3028-177-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/3028-176-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/3028-175-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/3028-174-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/3028-173-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/3028-172-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/3028-171-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3028-170-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/3028-169-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/3028-168-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3028-167-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3028-166-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3028-165-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3028-164-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/3028-163-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3028-179-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/3028-162-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/3028-161-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3028-160-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/3028-159-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3028-154-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/3028-296-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3028-155-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3028-152-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3028-153-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/3028-151-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3028-36-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3028-38-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3028-40-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3028-41-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3028-180-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/3028-149-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3028-44-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/3028-42-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/3028-35-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3028-34-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3028-0-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3028-32-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3028-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3028-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3028-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3028-5-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/3028-7-0x00000000004F0000-0x00000000004F4000-memory.dmp

Filesize
16KB

Download
memory/3028-8-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/3028-9-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3028-10-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3028-11-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3028-12-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3028-13-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/3028-14-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/3028-15-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/3028-16-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/3028-17-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/3028-18-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/3028-19-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/3028-20-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/3028-21-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3028-22-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/3028-29-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3028-30-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3028-31-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads