lumma | 3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37

General

Target

3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
Size

263KB
MD5

f572d2cf74a7897bebb459dc08a45411
SHA1

9a6bc0b9670cf1e5ea21876c1a71bafdec32017f
SHA256

3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37
SHA512

d75df9d31d36776841854c3708727219380cd8731d0669fd18be634047b7526299bd5e5fa561385e7dce458edee417f08ed779b3a590dc9a71450f6ef3557a33
SSDEEP

3072:Y2e/zGhApVVIbW+UHPiXQGDL5mc4IRKU1uhIrueTi21TE7idvqjfyJ+dELqPtPe:OzCbWeQmLomRTVxT4O87dEL4t

Score

10^/10

lumma redline smokeloader logsdiller cloud (telegram: @logsdillabot)pub1 backdoor bootkit discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.96:28380

Extracted

Family

lumma

C2

https://strollheavengwu.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5816-20-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

3196
Executes dropped EXE 4 IoCs

Processes:

2736.exe61FA.exe6A58.exewgtacwh

pid process

5764 2736.exe
3544 61FA.exe
2728 6A58.exe
4296 wgtacwh
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

91 drive.google.com
92 drive.google.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

61FA.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 61FA.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2736.exe

description pid process target process

PID 5764 set thread context of 5816 5764 2736.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3964 5764 WerFault.exe 2736.exe
4692 2728 WerFault.exe 6A58.exe

pid	process
3196

pid	process
5764	2736.exe
3544	61FA.exe
2728	6A58.exe
4296	wgtacwh

flow	ioc
91	drive.google.com
92	drive.google.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	61FA.exe

description	pid	process	target process
PID 5764 set thread context of 5816	5764	2736.exe	RegAsm.exe

pid	pid_target	process	target process
3964	5764	WerFault.exe	2736.exe
4692	2728	WerFault.exe	6A58.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wgtacwh3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgtacwh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgtacwh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgtacwh

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe

pid	process
2260	3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
2260	3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe

pid process

2260 3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeDebugPrivilege	5816	RegAsm.exe
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

cmd.exe2736.execmd.exe

description	pid	process	target process
PID 3196 wrote to memory of 3080	3196		cmd.exe
PID 3196 wrote to memory of 3080	3196		cmd.exe
PID 3080 wrote to memory of 5944	3080	cmd.exe	reg.exe
PID 3080 wrote to memory of 5944	3080	cmd.exe	reg.exe
PID 3196 wrote to memory of 5764	3196		2736.exe
PID 3196 wrote to memory of 5764	3196		2736.exe
PID 3196 wrote to memory of 5764	3196		2736.exe
PID 5764 wrote to memory of 5816	5764	2736.exe	RegAsm.exe
PID 5764 wrote to memory of 5816	5764	2736.exe	RegAsm.exe
PID 5764 wrote to memory of 5816	5764	2736.exe	RegAsm.exe
PID 5764 wrote to memory of 5816	5764	2736.exe	RegAsm.exe
PID 5764 wrote to memory of 5816	5764	2736.exe	RegAsm.exe
PID 5764 wrote to memory of 5816	5764	2736.exe	RegAsm.exe
PID 5764 wrote to memory of 5816	5764	2736.exe	RegAsm.exe
PID 5764 wrote to memory of 5816	5764	2736.exe	RegAsm.exe
PID 3196 wrote to memory of 3076	3196		cmd.exe
PID 3196 wrote to memory of 3076	3196		cmd.exe
PID 3076 wrote to memory of 2908	3076	cmd.exe	reg.exe
PID 3076 wrote to memory of 2908	3076	cmd.exe	reg.exe
PID 3196 wrote to memory of 3544	3196		61FA.exe
PID 3196 wrote to memory of 3544	3196		61FA.exe
PID 3196 wrote to memory of 3544	3196		61FA.exe
PID 3196 wrote to memory of 2728	3196		6A58.exe
PID 3196 wrote to memory of 2728	3196		6A58.exe
PID 3196 wrote to memory of 2728	3196		6A58.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
"C:\Users\Admin\AppData\Local\Temp\3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5A6F.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:5944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\2736.exe
C:\Users\Admin\AppData\Local\Temp\2736.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:5816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 324
  2⤵
  - Program crash
  PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5764 -ip 5764
1⤵
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3A13.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2908

C:\Users\Admin\AppData\Local\Temp\61FA.exe
C:\Users\Admin\AppData\Local\Temp\61FA.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3544

C:\Users\Admin\AppData\Local\Temp\6A58.exe
C:\Users\Admin\AppData\Local\Temp\6A58.exe
1⤵
- Executes dropped EXE
PID:2728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1148
  2⤵
  - Program crash
  PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2728 -ip 2728
1⤵
PID:2760

C:\Users\Admin\AppData\Roaming\wgtacwh
C:\Users\Admin\AppData\Roaming\wgtacwh
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2736.exe

Filesize
1.2MB

MD5
cc8622a4df9be323ac9b3ada3d1c8d32

SHA1
97ca6d02c88ef464c828e72b17f297d03aef320b

SHA256
d0e9f295f6bdea6e0363709e9abdc489602bc5ca2fdfff9318a96fee3955a817

SHA512
d83e91068514e566928f96019754353bdee570583b698cdf521f7849e5434a664fd8ac692b6a677675f50eaae49be19d4ca3d654fb3589da2e430930eabd6081

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A6F.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\61FA.exe

Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A58.exe

Filesize
370KB

MD5
39b80c4ae335847a949ff82d665fc8e1

SHA1
12e564b72db4cf266a8687cf17191719ca50a537

SHA256
347650f1a8b4d46848b94854d24c16dd8cf4c1a5626320015d8d92f3c992fa7b

SHA512
86f1c24511ad901c5bf1f696e8a5ec04b3e3815429265236235ff1e2bf890762ef22eeb70a17302b2762a4a97269caf7cfa13f2a66b1046e9fe8af6bded1d0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp5143.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Roaming\wgtacwh

Filesize
263KB

MD5
f572d2cf74a7897bebb459dc08a45411

SHA1
9a6bc0b9670cf1e5ea21876c1a71bafdec32017f

SHA256
3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37

SHA512
d75df9d31d36776841854c3708727219380cd8731d0669fd18be634047b7526299bd5e5fa561385e7dce458edee417f08ed779b3a590dc9a71450f6ef3557a33

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
3db38f0159a109798b7b715ccd4cf126

SHA1
466c60a7778f56a0552f8f677d05187994552857

SHA256
02b4aaa94a664303f66543b89d7f5c1dd78946a4d2bbdf696917165db8030690

SHA512
b74516e722a2073aa38f77d7117b0baa813073b89015c72bb59d1e10603a7f1fb8a9eabc8970fc7d2eb33582335ccb8f7f7bb1b0b71db3833264944fdd025292

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
dba4c9da0667b893c996fe4158a6283c

SHA1
4a39bc4dab3997076369f623d2a7506ced7b88ce

SHA256
e6cc8c1bfa559ffdcb62d40a704206c2d3fa404f2dd94357a14a623b00d04d07

SHA512
5496d4a33c35482e80eab0c22336fe67f51b5f65a37c63305833a741cb8365b6d0dcff3ededcfaeab2f85dd7a8e86b8186b37124fcdf594fb752990729c7e405

Download Submit
memory/2260-2-0x00000000042A0000-0x00000000042AB000-memory.dmp

Filesize
44KB

Download
memory/2260-1-0x00000000042D0000-0x00000000043D0000-memory.dmp

Filesize
1024KB

Download
memory/2260-7-0x00000000042A0000-0x00000000042AB000-memory.dmp

Filesize
44KB

Download
memory/2260-4-0x0000000000400000-0x0000000004033000-memory.dmp

Filesize
60.2MB

Download
memory/2728-78-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/2728-79-0x0000000002FC0000-0x000000000300B000-memory.dmp

Filesize
300KB

Download
memory/2728-80-0x0000000000400000-0x0000000002C3F000-memory.dmp

Filesize
40.2MB

Download
memory/3196-3-0x0000000002F00000-0x0000000002F16000-memory.dmp

Filesize
88KB

Download
memory/4296-85-0x00000000042E0000-0x00000000043E0000-memory.dmp

Filesize
1024KB

Download
memory/5764-29-0x00000000000D0000-0x0000000000203000-memory.dmp

Filesize
1.2MB

Download
memory/5764-19-0x00000000000D0000-0x0000000000203000-memory.dmp

Filesize
1.2MB

Download
memory/5816-53-0x00000000069E0000-0x00000000069F2000-memory.dmp

Filesize
72KB

Download
memory/5816-63-0x0000000008EA0000-0x00000000093CC000-memory.dmp

Filesize
5.2MB

Download
memory/5816-51-0x0000000006F50000-0x0000000007568000-memory.dmp

Filesize
6.1MB

Download
memory/5816-48-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/5816-56-0x0000000006A40000-0x0000000006A7C000-memory.dmp

Filesize
240KB

Download
memory/5816-57-0x0000000006BB0000-0x0000000006BFC000-memory.dmp

Filesize
304KB

Download
memory/5816-58-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/5816-59-0x0000000006D10000-0x0000000006D76000-memory.dmp

Filesize
408KB

Download
memory/5816-60-0x00000000077C0000-0x0000000007810000-memory.dmp

Filesize
320KB

Download
memory/5816-61-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/5816-62-0x00000000087A0000-0x0000000008962000-memory.dmp

Filesize
1.8MB

Download
memory/5816-52-0x0000000006AA0000-0x0000000006BAA000-memory.dmp

Filesize
1.0MB

Download
memory/5816-66-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/5816-68-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/5816-47-0x00000000061B0000-0x0000000006226000-memory.dmp

Filesize
472KB

Download
memory/5816-30-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/5816-28-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/5816-23-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/5816-22-0x0000000005880000-0x0000000005E24000-memory.dmp

Filesize
5.6MB

Download
memory/5816-21-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/5816-20-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads