smokeloader | 2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3

General

Target

2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe
Size

316KB
MD5

afc1267985c0d23f4b7fb22a4cc98cca
SHA1

fa0bb2db621e58372afe3a53af58b059c35f606e
SHA256

2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3
SHA512

07a98098a729be1b2640c7a660f8a67481be198eb8106ae051729d4136d304117813ab9070f7140161fe7cb463f3c3b2fdafac908f919e80e5812c04d19bd6ae

Score

10^/10

smokeloader backdoor collection trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1880

pid	process
1880

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2000 3768 WerFault.exe DllHost.exe

pid	pid_target	process	target process
2000	3768	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3CD79FB-7E17-11EC-9231-EAE77BAD686B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe

pid	process
2384	2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe
2384	2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880
1880

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1880

pid	process
1880

Suspicious behavior: MapViewOfSection 47 IoCs

Processes:

2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2384	2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe
1880
1880
1880
1880
1880
1880
1472	explorer.exe
1472	explorer.exe
1880
1880
1268	explorer.exe
1268	explorer.exe
1880
1880
596	explorer.exe
596	explorer.exe
1880
1880
944	explorer.exe
944	explorer.exe
1880
1880
2064	explorer.exe
2064	explorer.exe
1880
1880
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe
992	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1032	WMIC.exe
Token: SeSecurityPrivilege	1032	WMIC.exe
Token: SeTakeOwnershipPrivilege	1032	WMIC.exe
Token: SeLoadDriverPrivilege	1032	WMIC.exe
Token: SeSystemProfilePrivilege	1032	WMIC.exe
Token: SeSystemtimePrivilege	1032	WMIC.exe
Token: SeProfSingleProcessPrivilege	1032	WMIC.exe
Token: SeIncBasePriorityPrivilege	1032	WMIC.exe
Token: SeCreatePagefilePrivilege	1032	WMIC.exe
Token: SeBackupPrivilege	1032	WMIC.exe
Token: SeRestorePrivilege	1032	WMIC.exe
Token: SeShutdownPrivilege	1032	WMIC.exe
Token: SeDebugPrivilege	1032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1032	WMIC.exe
Token: SeRemoteShutdownPrivilege	1032	WMIC.exe
Token: SeUndockPrivilege	1032	WMIC.exe
Token: SeManageVolumePrivilege	1032	WMIC.exe
Token: 33	1032	WMIC.exe
Token: 34	1032	WMIC.exe
Token: 35	1032	WMIC.exe
Token: 36	1032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1032	WMIC.exe
Token: SeSecurityPrivilege	1032	WMIC.exe
Token: SeTakeOwnershipPrivilege	1032	WMIC.exe
Token: SeLoadDriverPrivilege	1032	WMIC.exe
Token: SeSystemProfilePrivilege	1032	WMIC.exe
Token: SeSystemtimePrivilege	1032	WMIC.exe
Token: SeProfSingleProcessPrivilege	1032	WMIC.exe
Token: SeIncBasePriorityPrivilege	1032	WMIC.exe
Token: SeCreatePagefilePrivilege	1032	WMIC.exe
Token: SeBackupPrivilege	1032	WMIC.exe
Token: SeRestorePrivilege	1032	WMIC.exe
Token: SeShutdownPrivilege	1032	WMIC.exe
Token: SeDebugPrivilege	1032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1032	WMIC.exe
Token: SeRemoteShutdownPrivilege	1032	WMIC.exe
Token: SeUndockPrivilege	1032	WMIC.exe
Token: SeManageVolumePrivilege	1032	WMIC.exe
Token: 33	1032	WMIC.exe
Token: 34	1032	WMIC.exe
Token: 35	1032	WMIC.exe
Token: 36	1032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1384	WMIC.exe
Token: SeSecurityPrivilege	1384	WMIC.exe
Token: SeTakeOwnershipPrivilege	1384	WMIC.exe
Token: SeLoadDriverPrivilege	1384	WMIC.exe
Token: SeSystemProfilePrivilege	1384	WMIC.exe
Token: SeSystemtimePrivilege	1384	WMIC.exe
Token: SeProfSingleProcessPrivilege	1384	WMIC.exe
Token: SeIncBasePriorityPrivilege	1384	WMIC.exe
Token: SeCreatePagefilePrivilege	1384	WMIC.exe
Token: SeBackupPrivilege	1384	WMIC.exe
Token: SeRestorePrivilege	1384	WMIC.exe
Token: SeShutdownPrivilege	1384	WMIC.exe
Token: SeDebugPrivilege	1384	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1384	WMIC.exe
Token: SeRemoteShutdownPrivilege	1384	WMIC.exe
Token: SeUndockPrivilege	1384	WMIC.exe
Token: SeManageVolumePrivilege	1384	WMIC.exe
Token: 33	1384	WMIC.exe
Token: 34	1384	WMIC.exe
Token: 35	1384	WMIC.exe
Token: 36	1384	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1384	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2384 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2384 iexplore.exe
2384 iexplore.exe
2972 IEXPLORE.EXE
2972 IEXPLORE.EXE

pid	process
2384	iexplore.exe

pid	process
2384	iexplore.exe
2384	iexplore.exe
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeiexplore.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1880 wrote to memory of 3968	1880		cmd.exe
PID 1880 wrote to memory of 3968	1880		cmd.exe
PID 3968 wrote to memory of 1032	3968	cmd.exe	WMIC.exe
PID 3968 wrote to memory of 1032	3968	cmd.exe	WMIC.exe
PID 3968 wrote to memory of 1384	3968	cmd.exe	WMIC.exe
PID 3968 wrote to memory of 1384	3968	cmd.exe	WMIC.exe
PID 3968 wrote to memory of 2324	3968	cmd.exe	WMIC.exe
PID 3968 wrote to memory of 2324	3968	cmd.exe	WMIC.exe
PID 3968 wrote to memory of 4060	3968	cmd.exe	WMIC.exe
PID 3968 wrote to memory of 4060	3968	cmd.exe	WMIC.exe
PID 2384 wrote to memory of 2972	2384	iexplore.exe	IEXPLORE.EXE
PID 2384 wrote to memory of 2972	2384	iexplore.exe	IEXPLORE.EXE
PID 2384 wrote to memory of 2972	2384	iexplore.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 1428	1880		explorer.exe
PID 1880 wrote to memory of 1428	1880		explorer.exe
PID 1880 wrote to memory of 1428	1880		explorer.exe
PID 1880 wrote to memory of 1428	1880		explorer.exe
PID 1880 wrote to memory of 3372	1880		explorer.exe
PID 1880 wrote to memory of 3372	1880		explorer.exe
PID 1880 wrote to memory of 3372	1880		explorer.exe
PID 1880 wrote to memory of 1472	1880		explorer.exe
PID 1880 wrote to memory of 1472	1880		explorer.exe
PID 1880 wrote to memory of 1472	1880		explorer.exe
PID 1880 wrote to memory of 1472	1880		explorer.exe
PID 1472 wrote to memory of 2972	1472	explorer.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 2972	1472	explorer.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 1268	1880		explorer.exe
PID 1880 wrote to memory of 1268	1880		explorer.exe
PID 1880 wrote to memory of 1268	1880		explorer.exe
PID 1268 wrote to memory of 2384	1268	explorer.exe	iexplore.exe
PID 1268 wrote to memory of 2384	1268	explorer.exe	iexplore.exe
PID 1880 wrote to memory of 596	1880		explorer.exe
PID 1880 wrote to memory of 596	1880		explorer.exe
PID 1880 wrote to memory of 596	1880		explorer.exe
PID 1880 wrote to memory of 596	1880		explorer.exe
PID 596 wrote to memory of 2972	596	explorer.exe	IEXPLORE.EXE
PID 596 wrote to memory of 2972	596	explorer.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 944	1880		explorer.exe
PID 1880 wrote to memory of 944	1880		explorer.exe
PID 1880 wrote to memory of 944	1880		explorer.exe
PID 944 wrote to memory of 2384	944	explorer.exe	iexplore.exe
PID 944 wrote to memory of 2384	944	explorer.exe	iexplore.exe
PID 1880 wrote to memory of 2064	1880		explorer.exe
PID 1880 wrote to memory of 2064	1880		explorer.exe
PID 1880 wrote to memory of 2064	1880		explorer.exe
PID 1880 wrote to memory of 2064	1880		explorer.exe
PID 2064 wrote to memory of 2972	2064	explorer.exe	IEXPLORE.EXE
PID 2064 wrote to memory of 2972	2064	explorer.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 992	1880		explorer.exe
PID 1880 wrote to memory of 992	1880		explorer.exe
PID 1880 wrote to memory of 992	1880		explorer.exe
PID 992 wrote to memory of 2448	992	explorer.exe	sihost.exe
PID 992 wrote to memory of 2448	992	explorer.exe	sihost.exe
PID 992 wrote to memory of 2456	992	explorer.exe	svchost.exe
PID 992 wrote to memory of 2456	992	explorer.exe	svchost.exe
PID 992 wrote to memory of 2760	992	explorer.exe	taskhostw.exe
PID 992 wrote to memory of 2760	992	explorer.exe	taskhostw.exe
PID 992 wrote to memory of 3256	992	explorer.exe	ShellExperienceHost.exe
PID 992 wrote to memory of 3256	992	explorer.exe	ShellExperienceHost.exe
PID 992 wrote to memory of 3268	992	explorer.exe	SearchUI.exe
PID 992 wrote to memory of 3268	992	explorer.exe	SearchUI.exe
PID 992 wrote to memory of 3512	992	explorer.exe	RuntimeBroker.exe
PID 992 wrote to memory of 3512	992	explorer.exe	RuntimeBroker.exe
PID 992 wrote to memory of 3768	992	explorer.exe	DllHost.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3256

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3768 -s 908
2⤵
- Program crash
PID:2000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3512

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3268

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2456

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe
"C:\Users\Admin\AppData\Local\Temp\2b0dea2ff2d83c8a0f9a2c72ccca46769955ea60dede40dc96e8e99e7f824de3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2384

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:2324

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:4060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1428

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3372

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-321-0x00000000004F0000-0x00000000004F5000-memory.dmp

Filesize
20KB

Download
memory/596-322-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/944-324-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/944-323-0x0000000000C40000-0x0000000000C46000-memory.dmp

Filesize
24KB

Download
memory/992-328-0x00000000008A0000-0x00000000008AD000-memory.dmp

Filesize
52KB

Download
memory/992-327-0x00000000008B0000-0x00000000008B7000-memory.dmp

Filesize
28KB

Download
memory/1268-319-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

Filesize
36KB

Download
memory/1268-320-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/1428-315-0x0000000003200000-0x000000000326B000-memory.dmp

Filesize
428KB

Download
memory/1428-314-0x0000000003270000-0x00000000032E5000-memory.dmp

Filesize
468KB

Download
memory/1472-317-0x0000000002EF0000-0x0000000002EF7000-memory.dmp

Filesize
28KB

Download
memory/1472-318-0x0000000000AA0000-0x0000000000AAB000-memory.dmp

Filesize
44KB

Download
memory/1880-120-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2000-334-0x0000027CF2A30000-0x0000027CF2A31000-memory.dmp

Filesize
4KB

Download
memory/2064-325-0x0000000000A20000-0x0000000000A26000-memory.dmp

Filesize
24KB

Download
memory/2064-326-0x0000000000A10000-0x0000000000A1B000-memory.dmp

Filesize
44KB

Download
memory/2384-118-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/2384-119-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2384-117-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/2448-329-0x0000020E446A0000-0x0000020E446A1000-memory.dmp

Filesize
4KB

Download
memory/2456-330-0x000002784E580000-0x000002784E581000-memory.dmp

Filesize
4KB

Download
memory/2760-331-0x0000024B3EFE0000-0x0000024B3EFE1000-memory.dmp

Filesize
4KB

Download
memory/2760-333-0x0000024B3F320000-0x0000024B3F321000-memory.dmp

Filesize
4KB

Download
memory/3372-316-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/3512-332-0x0000027712630000-0x0000027712631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads