lumma | 8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-25T00:45:34Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240226-en/instance_22-dirty.qcow2\"}"

General

Target

8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe
Size

240KB
MD5

817d3b2845b7869b9fc71086755bef75
SHA1

62afe642e08e778593a54c053af79cb2efecbe6b
SHA256

8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa
SHA512

23fa2f5a78a1fcba86ec53b509d05fd8134a8d6466cf7aaffd7e39ef7ab812607eab0c40faea7512c4defdaa1c74ca7872504c5fae5597e3e0ae81bb990f453d
SSDEEP

3072:GHAEvKLe+EtqHInlgz3OWtd6IwYbF2u5u1SkLRaQedb:nL7EXlgzzOI3beUJ5

Score

10^/10

lumma redline smokeloader @cloudcosmic (https://cloudcosmic.store)pub1 backdoor bootkit discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

@cloudcosmic (https://cloudcosmic.store)

C2

87.121.105.175:14845

Extracted

Family

lumma

C2

https://strollheavengwu.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9B5E.exe	family_redline
behavioral2/memory/4396-25-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

3300
Executes dropped EXE 4 IoCs

Processes:

9B5E.exeA62C.exeB0BC.exeugacwvw

pid process

4396 9B5E.exe
5028 A62C.exe
3508 B0BC.exe
4572 ugacwvw
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

78 drive.google.com
79 drive.google.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

A62C.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 A62C.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4244 3508 WerFault.exe B0BC.exe

pid	process
3300

pid	process
4396	9B5E.exe
5028	A62C.exe
3508	B0BC.exe
4572	ugacwvw

flow	ioc
78	drive.google.com
79	drive.google.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	A62C.exe

pid	pid_target	process	target process
4244	3508	WerFault.exe	B0BC.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ugacwvw8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ugacwvw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ugacwvw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ugacwvw

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

9B5E.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	9B5E.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	9B5E.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe

pid	process
3152	8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe
3152	8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300
3300

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exeugacwvw

pid process

3152 8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe
4572 ugacwvw

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

9B5E.exeA62C.exe

description	pid	process
Token: SeShutdownPrivilege	3300
Token: SeCreatePagefilePrivilege	3300
Token: SeShutdownPrivilege	3300
Token: SeCreatePagefilePrivilege	3300
Token: SeDebugPrivilege	4396	9B5E.exe
Token: SeShutdownPrivilege	3300
Token: SeCreatePagefilePrivilege	3300
Token: SeShutdownPrivilege	3300
Token: SeCreatePagefilePrivilege	3300
Token: SeShutdownPrivilege	3300
Token: SeCreatePagefilePrivilege	3300
Token: SeShutdownPrivilege	3300
Token: SeCreatePagefilePrivilege	3300
Token: SeShutdownPrivilege	3300
Token: SeCreatePagefilePrivilege	3300
Token: SeShutdownPrivilege	3300
Token: SeCreatePagefilePrivilege	3300
Token: SeShutdownPrivilege	3300
Token: SeCreatePagefilePrivilege	3300
Token: SeShutdownPrivilege	5028	A62C.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 3300 wrote to memory of 5112	3300		cmd.exe
PID 3300 wrote to memory of 5112	3300		cmd.exe
PID 5112 wrote to memory of 1992	5112	cmd.exe	reg.exe
PID 5112 wrote to memory of 1992	5112	cmd.exe	reg.exe
PID 3300 wrote to memory of 4680	3300		cmd.exe
PID 3300 wrote to memory of 4680	3300		cmd.exe
PID 4680 wrote to memory of 3844	4680	cmd.exe	reg.exe
PID 4680 wrote to memory of 3844	4680	cmd.exe	reg.exe
PID 3300 wrote to memory of 4396	3300		9B5E.exe
PID 3300 wrote to memory of 4396	3300		9B5E.exe
PID 3300 wrote to memory of 4396	3300		9B5E.exe
PID 3300 wrote to memory of 5028	3300		A62C.exe
PID 3300 wrote to memory of 5028	3300		A62C.exe
PID 3300 wrote to memory of 5028	3300		A62C.exe
PID 3300 wrote to memory of 3508	3300		B0BC.exe
PID 3300 wrote to memory of 3508	3300		B0BC.exe
PID 3300 wrote to memory of 3508	3300		B0BC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe
"C:\Users\Admin\AppData\Local\Temp\8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4A33.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7849.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\9B5E.exe
C:\Users\Admin\AppData\Local\Temp\9B5E.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Users\Admin\AppData\Local\Temp\A62C.exe
C:\Users\Admin\AppData\Local\Temp\A62C.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Users\Admin\AppData\Local\Temp\B0BC.exe
C:\Users\Admin\AppData\Local\Temp\B0BC.exe
1⤵
- Executes dropped EXE
PID:3508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1132
  2⤵
  - Program crash
  PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3508 -ip 3508
1⤵
PID:2768

C:\Users\Admin\AppData\Roaming\ugacwvw
C:\Users\Admin\AppData\Roaming\ugacwvw
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4A33.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B5E.exe

Filesize
304KB

MD5
e9c6cf15980688c2d0eca2b8fd36cb37

SHA1
328078770d6df3042d7737daf0c1cdc61a4180f5

SHA256
6c70db8bdfc6f6506ee80fcb7c3c6152e81e464b29f0b6cbe2294997f7531b53

SHA512
e6a39a1345256896bc78a8184d5020026d125fe54cfe48e89247169eeb5c59bcab4a00a91b1078bbaf71677868bf29b4b56768183dc9d595af4f04645299089f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A62C.exe

Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0BC.exe

Filesize
352KB

MD5
7b3e62bcbeed62a180220669f6a0c548

SHA1
3d12e7bf87ce03fe4c59c5127e225dfd37b7a530

SHA256
32cad0a627c9f3bf1172d0fc11a5492b2ff20e3e5509f53e0ac83e87d15f2a5d

SHA512
fe3456aecbfa5609623e616eaaaa8eec07b69ab5447f91358afa274e5c197e4e6784dce97822e7d4f3d5e695902fc25ceebb83d988da0afe552597d8821fce7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpA985.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Roaming\ugacwvw

Filesize
240KB

MD5
817d3b2845b7869b9fc71086755bef75

SHA1
62afe642e08e778593a54c053af79cb2efecbe6b

SHA256
8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa

SHA512
23fa2f5a78a1fcba86ec53b509d05fd8134a8d6466cf7aaffd7e39ef7ab812607eab0c40faea7512c4defdaa1c74ca7872504c5fae5597e3e0ae81bb990f453d

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
d296a91425fcc6fc64131daa21b1e719

SHA1
d01ea7040892df4fdbebc1484e8369419df04415

SHA256
3e1c1b44a178ac34f14c4e11861f037beab24cbd7db06eea766c0e25aaf18195

SHA512
6fd65a47173a26dd172484dbaecf803ee7b485ead45fda139f7b9128ce6d97bf3ffc79bf51565b7626b4ed85f561df23861286c1fafc9f67f4b2e607933c162b

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
dba4c9da0667b893c996fe4158a6283c

SHA1
4a39bc4dab3997076369f623d2a7506ced7b88ce

SHA256
e6cc8c1bfa559ffdcb62d40a704206c2d3fa404f2dd94357a14a623b00d04d07

SHA512
5496d4a33c35482e80eab0c22336fe67f51b5f65a37c63305833a741cb8365b6d0dcff3ededcfaeab2f85dd7a8e86b8186b37124fcdf594fb752990729c7e405

Download Submit
memory/3152-5-0x0000000000400000-0x0000000002C1F000-memory.dmp

Filesize
40.1MB

Download
memory/3152-8-0x0000000002CA0000-0x0000000002CAB000-memory.dmp

Filesize
44KB

Download
memory/3152-1-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download
memory/3152-3-0x0000000000400000-0x0000000002C1F000-memory.dmp

Filesize
40.1MB

Download
memory/3152-2-0x0000000002CA0000-0x0000000002CAB000-memory.dmp

Filesize
44KB

Download
memory/3300-83-0x00000000029E0000-0x00000000029F6000-memory.dmp

Filesize
88KB

Download
memory/3300-4-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

Filesize
88KB

Download
memory/3508-68-0x0000000000400000-0x0000000004048000-memory.dmp

Filesize
60.3MB

Download
memory/3508-66-0x0000000004160000-0x00000000041AB000-memory.dmp

Filesize
300KB

Download
memory/3508-65-0x0000000004300000-0x0000000004400000-memory.dmp

Filesize
1024KB

Download
memory/4396-56-0x0000000006550000-0x0000000006562000-memory.dmp

Filesize
72KB

Download
memory/4396-69-0x0000000006860000-0x00000000068C6000-memory.dmp

Filesize
408KB

Download
memory/4396-54-0x0000000006AC0000-0x00000000070D8000-memory.dmp

Filesize
6.1MB

Download
memory/4396-51-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/4396-50-0x0000000005AA0000-0x0000000005B16000-memory.dmp

Filesize
472KB

Download
memory/4396-29-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/4396-64-0x00000000065B0000-0x00000000065EC000-memory.dmp

Filesize
240KB

Download
memory/4396-28-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4396-27-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/4396-67-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/4396-26-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/4396-55-0x0000000006610000-0x000000000671A000-memory.dmp

Filesize
1.0MB

Download
memory/4396-70-0x00000000072E0000-0x0000000007330000-memory.dmp

Filesize
320KB

Download
memory/4396-73-0x00000000085C0000-0x0000000008782000-memory.dmp

Filesize
1.8MB

Download
memory/4396-74-0x0000000008CC0000-0x00000000091EC000-memory.dmp

Filesize
5.2MB

Download
memory/4396-75-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-77-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-25-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/4396-24-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-82-0x0000000000400000-0x0000000002C1F000-memory.dmp

Filesize
40.1MB

Download
memory/4572-81-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/4572-84-0x0000000000400000-0x0000000002C1F000-memory.dmp

Filesize
40.1MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads