smokeloader | f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc

General

Target

f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe
Size

189KB
MD5

c1d7d3c37cb954a86b42287ca35986ec
SHA1

7b5ba6597b26fe3b0136e5cd0fbe8dc1060f96d0
SHA256

f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc
SHA512

b22a8e4f5b9b66660fa7fe42fcd06283c52b00384684b349959cf6580bd57895ddb57439e7527577d5635800da7e4c8ea3e84a3e2058aba6aef25f6b77e6e142

Score

10^/10

smokeloader backdoor collection trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

2612

pid	process
2612

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

948 3804 WerFault.exe DllHost.exe

pid	pid_target	process	target process
948	3804	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49B95854-7F73-11EC-9231-46AC2453C65E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe

pid	process
3376	f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe
3376	f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2612

pid	process
2612

Suspicious behavior: MapViewOfSection 47 IoCs

Processes:

f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3376	f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe
2612
2612
2612
2612
2612
2612
4664	explorer.exe
4664	explorer.exe
2612
2612
2980	explorer.exe
2980	explorer.exe
2612
2612
4860	explorer.exe
4860	explorer.exe
2612
2612
3844	explorer.exe
3844	explorer.exe
2612
2612
4564	explorer.exe
4564	explorer.exe
2612
2612
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe
4264	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4456	WMIC.exe
Token: SeSecurityPrivilege	4456	WMIC.exe
Token: SeTakeOwnershipPrivilege	4456	WMIC.exe
Token: SeLoadDriverPrivilege	4456	WMIC.exe
Token: SeSystemProfilePrivilege	4456	WMIC.exe
Token: SeSystemtimePrivilege	4456	WMIC.exe
Token: SeProfSingleProcessPrivilege	4456	WMIC.exe
Token: SeIncBasePriorityPrivilege	4456	WMIC.exe
Token: SeCreatePagefilePrivilege	4456	WMIC.exe
Token: SeBackupPrivilege	4456	WMIC.exe
Token: SeRestorePrivilege	4456	WMIC.exe
Token: SeShutdownPrivilege	4456	WMIC.exe
Token: SeDebugPrivilege	4456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4456	WMIC.exe
Token: SeRemoteShutdownPrivilege	4456	WMIC.exe
Token: SeUndockPrivilege	4456	WMIC.exe
Token: SeManageVolumePrivilege	4456	WMIC.exe
Token: 33	4456	WMIC.exe
Token: 34	4456	WMIC.exe
Token: 35	4456	WMIC.exe
Token: 36	4456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4456	WMIC.exe
Token: SeSecurityPrivilege	4456	WMIC.exe
Token: SeTakeOwnershipPrivilege	4456	WMIC.exe
Token: SeLoadDriverPrivilege	4456	WMIC.exe
Token: SeSystemProfilePrivilege	4456	WMIC.exe
Token: SeSystemtimePrivilege	4456	WMIC.exe
Token: SeProfSingleProcessPrivilege	4456	WMIC.exe
Token: SeIncBasePriorityPrivilege	4456	WMIC.exe
Token: SeCreatePagefilePrivilege	4456	WMIC.exe
Token: SeBackupPrivilege	4456	WMIC.exe
Token: SeRestorePrivilege	4456	WMIC.exe
Token: SeShutdownPrivilege	4456	WMIC.exe
Token: SeDebugPrivilege	4456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4456	WMIC.exe
Token: SeRemoteShutdownPrivilege	4456	WMIC.exe
Token: SeUndockPrivilege	4456	WMIC.exe
Token: SeManageVolumePrivilege	4456	WMIC.exe
Token: 33	4456	WMIC.exe
Token: 34	4456	WMIC.exe
Token: 35	4456	WMIC.exe
Token: 36	4456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4336	WMIC.exe
Token: SeSecurityPrivilege	4336	WMIC.exe
Token: SeTakeOwnershipPrivilege	4336	WMIC.exe
Token: SeLoadDriverPrivilege	4336	WMIC.exe
Token: SeSystemProfilePrivilege	4336	WMIC.exe
Token: SeSystemtimePrivilege	4336	WMIC.exe
Token: SeProfSingleProcessPrivilege	4336	WMIC.exe
Token: SeIncBasePriorityPrivilege	4336	WMIC.exe
Token: SeCreatePagefilePrivilege	4336	WMIC.exe
Token: SeBackupPrivilege	4336	WMIC.exe
Token: SeRestorePrivilege	4336	WMIC.exe
Token: SeShutdownPrivilege	4336	WMIC.exe
Token: SeDebugPrivilege	4336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4336	WMIC.exe
Token: SeRemoteShutdownPrivilege	4336	WMIC.exe
Token: SeUndockPrivilege	4336	WMIC.exe
Token: SeManageVolumePrivilege	4336	WMIC.exe
Token: 33	4336	WMIC.exe
Token: 34	4336	WMIC.exe
Token: 35	4336	WMIC.exe
Token: 36	4336	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4336	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2388 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2388 iexplore.exe
2388 iexplore.exe
2992 IEXPLORE.EXE
2992 IEXPLORE.EXE

pid	process
2388	iexplore.exe

pid	process
2388	iexplore.exe
2388	iexplore.exe
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeiexplore.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2612 wrote to memory of 4388	2612		cmd.exe
PID 2612 wrote to memory of 4388	2612		cmd.exe
PID 4388 wrote to memory of 4456	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 4456	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 4336	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 4336	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 3232	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 3232	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 3832	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 3832	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 4508	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 4508	4388	cmd.exe	WMIC.exe
PID 2388 wrote to memory of 2992	2388	iexplore.exe	IEXPLORE.EXE
PID 2388 wrote to memory of 2992	2388	iexplore.exe	IEXPLORE.EXE
PID 2388 wrote to memory of 2992	2388	iexplore.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 1232	2612		explorer.exe
PID 2612 wrote to memory of 1232	2612		explorer.exe
PID 2612 wrote to memory of 1232	2612		explorer.exe
PID 2612 wrote to memory of 1232	2612		explorer.exe
PID 2612 wrote to memory of 4888	2612		explorer.exe
PID 2612 wrote to memory of 4888	2612		explorer.exe
PID 2612 wrote to memory of 4888	2612		explorer.exe
PID 2612 wrote to memory of 4664	2612		explorer.exe
PID 2612 wrote to memory of 4664	2612		explorer.exe
PID 2612 wrote to memory of 4664	2612		explorer.exe
PID 2612 wrote to memory of 4664	2612		explorer.exe
PID 4664 wrote to memory of 2992	4664	explorer.exe	IEXPLORE.EXE
PID 4664 wrote to memory of 2992	4664	explorer.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2980	2612		explorer.exe
PID 2612 wrote to memory of 2980	2612		explorer.exe
PID 2612 wrote to memory of 2980	2612		explorer.exe
PID 2980 wrote to memory of 2388	2980	explorer.exe	iexplore.exe
PID 2980 wrote to memory of 2388	2980	explorer.exe	iexplore.exe
PID 2612 wrote to memory of 4860	2612		explorer.exe
PID 2612 wrote to memory of 4860	2612		explorer.exe
PID 2612 wrote to memory of 4860	2612		explorer.exe
PID 2612 wrote to memory of 4860	2612		explorer.exe
PID 4860 wrote to memory of 2992	4860	explorer.exe	IEXPLORE.EXE
PID 4860 wrote to memory of 2992	4860	explorer.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 3844	2612		explorer.exe
PID 2612 wrote to memory of 3844	2612		explorer.exe
PID 2612 wrote to memory of 3844	2612		explorer.exe
PID 3844 wrote to memory of 2388	3844	explorer.exe	iexplore.exe
PID 3844 wrote to memory of 2388	3844	explorer.exe	iexplore.exe
PID 2612 wrote to memory of 4564	2612		explorer.exe
PID 2612 wrote to memory of 4564	2612		explorer.exe
PID 2612 wrote to memory of 4564	2612		explorer.exe
PID 2612 wrote to memory of 4564	2612		explorer.exe
PID 4564 wrote to memory of 2992	4564	explorer.exe	IEXPLORE.EXE
PID 4564 wrote to memory of 2992	4564	explorer.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 4264	2612		explorer.exe
PID 2612 wrote to memory of 4264	2612		explorer.exe
PID 2612 wrote to memory of 4264	2612		explorer.exe
PID 4264 wrote to memory of 2920	4264	explorer.exe	sihost.exe
PID 4264 wrote to memory of 2920	4264	explorer.exe	sihost.exe
PID 4264 wrote to memory of 2940	4264	explorer.exe	svchost.exe
PID 4264 wrote to memory of 2940	4264	explorer.exe	svchost.exe
PID 4264 wrote to memory of 3000	4264	explorer.exe	taskhostw.exe
PID 4264 wrote to memory of 3000	4264	explorer.exe	taskhostw.exe
PID 4264 wrote to memory of 3312	4264	explorer.exe	ShellExperienceHost.exe
PID 4264 wrote to memory of 3312	4264	explorer.exe	ShellExperienceHost.exe
PID 4264 wrote to memory of 3332	4264	explorer.exe	SearchUI.exe
PID 4264 wrote to memory of 3332	4264	explorer.exe	SearchUI.exe
PID 4264 wrote to memory of 3516	4264	explorer.exe	RuntimeBroker.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3000

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2940

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3804 -s 912
2⤵
- Program crash
PID:948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3516

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe
"C:\Users\Admin\AppData\Local\Temp\f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3376

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:3232

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:3832

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:4508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1232

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4888

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-152-0x00000281CE680000-0x00000281CE979000-memory.dmp

Filesize
3.0MB

Download
memory/948-151-0x00000281CE680000-0x00000281CE979000-memory.dmp

Filesize
3.0MB

Download
memory/948-154-0x00000281CE680000-0x00000281CE979000-memory.dmp

Filesize
3.0MB

Download
memory/1232-132-0x0000000000A70000-0x0000000000AE5000-memory.dmp

Filesize
468KB

Download
memory/1232-133-0x0000000000A00000-0x0000000000A6B000-memory.dmp

Filesize
428KB

Download
memory/2612-121-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/2612-124-0x0000000000F50000-0x0000000002D00000-memory.dmp

Filesize
29.7MB

Download
memory/2920-146-0x0000029E0EB00000-0x0000029E0EB01000-memory.dmp

Filesize
4KB

Download
memory/2940-147-0x000001EAC8240000-0x000001EAC8241000-memory.dmp

Filesize
4KB

Download
memory/2980-137-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2980-136-0x0000000000520000-0x0000000000529000-memory.dmp

Filesize
36KB

Download
memory/3000-153-0x000001ED1D070000-0x000001ED1D071000-memory.dmp

Filesize
4KB

Download
memory/3000-148-0x000001ED1CD30000-0x000001ED1CD31000-memory.dmp

Filesize
4KB

Download
memory/3376-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3376-119-0x0000000000520000-0x0000000000529000-memory.dmp

Filesize
36KB

Download
memory/3516-149-0x000001B5B9860000-0x000001B5B9861000-memory.dmp

Filesize
4KB

Download
memory/3844-140-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/3844-141-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/4264-145-0x0000000000680000-0x000000000068D000-memory.dmp

Filesize
52KB

Download
memory/4264-144-0x0000000000690000-0x0000000000697000-memory.dmp

Filesize
28KB

Download
memory/4564-143-0x0000000001000000-0x000000000100B000-memory.dmp

Filesize
44KB

Download
memory/4564-142-0x0000000001010000-0x0000000001016000-memory.dmp

Filesize
24KB

Download
memory/4664-135-0x0000000000B60000-0x0000000000B6B000-memory.dmp

Filesize
44KB

Download
memory/4664-134-0x0000000000B70000-0x0000000000B77000-memory.dmp

Filesize
28KB

Download
memory/4860-139-0x00000000010D0000-0x00000000010D9000-memory.dmp

Filesize
36KB

Download
memory/4860-138-0x00000000010E0000-0x00000000010E5000-memory.dmp

Filesize
20KB

Download
memory/4888-131-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads