smokeloader | 1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a

General

Target

1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe
Size

305KB
MD5

bdd062ecb6cd44c74923022d2fc4892e
SHA1

9d7c97e0976bc97a736b9cd64a98f99d293adf0b
SHA256

1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a
SHA512

8d0f2f0a562c40c0393e23b826704401ff03fe50b949031cab2e928829082a96c7d79ab7602c5ce9efdf9bf982181eb1f50454d5723568d0f2781f900a10910f

Score

10^/10

smokeloader backdoor evasion trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://bahninfo.at/upload/

http://img4mobi.com/upload/

http://equix.ru/upload/

http://worldalltv.com/upload/

http://negarehgallery.com/upload/

http://lite-server.ru/upload/

http://piratia/su/upload/

http://go-piratia.ru/upload/

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

D987.exe1180.exe

pid process

3700 D987.exe
32 1180.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3700	D987.exe
32	1180.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

D987.exe1180.exe1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D987.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D987.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1180.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1180.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D987.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3812 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2300 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4948 systeminfo.exe
Runs net.exe

pid	process
3812	tasklist.exe

pid	process
2300	ipconfig.exe

pid	process
4948	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe

pid	process
4668	1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe
4668	1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2724
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exeD987.exe1180.exe

pid process

4668 1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe
3700 D987.exe
32 1180.exe

pid	process
2724

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe
Token: SeBackupPrivilege	4656	WMIC.exe
Token: SeRestorePrivilege	4656	WMIC.exe
Token: SeShutdownPrivilege	4656	WMIC.exe
Token: SeDebugPrivilege	4656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4656	WMIC.exe
Token: SeRemoteShutdownPrivilege	4656	WMIC.exe
Token: SeUndockPrivilege	4656	WMIC.exe
Token: SeManageVolumePrivilege	4656	WMIC.exe
Token: 33	4656	WMIC.exe
Token: 34	4656	WMIC.exe
Token: 35	4656	WMIC.exe
Token: 36	4656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe
Token: SeBackupPrivilege	4656	WMIC.exe
Token: SeRestorePrivilege	4656	WMIC.exe
Token: SeShutdownPrivilege	4656	WMIC.exe
Token: SeDebugPrivilege	4656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4656	WMIC.exe
Token: SeRemoteShutdownPrivilege	4656	WMIC.exe
Token: SeUndockPrivilege	4656	WMIC.exe
Token: SeManageVolumePrivilege	4656	WMIC.exe
Token: 33	4656	WMIC.exe
Token: 34	4656	WMIC.exe
Token: 35	4656	WMIC.exe
Token: 36	4656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1432	WMIC.exe
Token: SeSecurityPrivilege	1432	WMIC.exe
Token: SeTakeOwnershipPrivilege	1432	WMIC.exe
Token: SeLoadDriverPrivilege	1432	WMIC.exe
Token: SeSystemProfilePrivilege	1432	WMIC.exe
Token: SeSystemtimePrivilege	1432	WMIC.exe
Token: SeProfSingleProcessPrivilege	1432	WMIC.exe
Token: SeIncBasePriorityPrivilege	1432	WMIC.exe
Token: SeCreatePagefilePrivilege	1432	WMIC.exe
Token: SeBackupPrivilege	1432	WMIC.exe
Token: SeRestorePrivilege	1432	WMIC.exe
Token: SeShutdownPrivilege	1432	WMIC.exe
Token: SeDebugPrivilege	1432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1432	WMIC.exe
Token: SeRemoteShutdownPrivilege	1432	WMIC.exe
Token: SeUndockPrivilege	1432	WMIC.exe
Token: SeManageVolumePrivilege	1432	WMIC.exe
Token: 33	1432	WMIC.exe
Token: 34	1432	WMIC.exe
Token: 35	1432	WMIC.exe
Token: 36	1432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1432	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2724 wrote to memory of 3700	2724		D987.exe
PID 2724 wrote to memory of 3700	2724		D987.exe
PID 2724 wrote to memory of 3700	2724		D987.exe
PID 2724 wrote to memory of 32	2724		1180.exe
PID 2724 wrote to memory of 32	2724		1180.exe
PID 2724 wrote to memory of 32	2724		1180.exe
PID 2724 wrote to memory of 1384	2724		cmd.exe
PID 2724 wrote to memory of 1384	2724		cmd.exe
PID 1384 wrote to memory of 4656	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 4656	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1432	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1432	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 5036	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 5036	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1520	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1520	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 4036	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 4036	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1236	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1236	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 3048	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 3048	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 4172	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 4172	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 4316	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 4316	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 4388	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 4388	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 3548	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 3548	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1604	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1604	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 2832	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 2832	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 5048	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 5048	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 2300	1384	cmd.exe	ipconfig.exe
PID 1384 wrote to memory of 2300	1384	cmd.exe	ipconfig.exe
PID 1384 wrote to memory of 5100	1384	cmd.exe	ROUTE.EXE
PID 1384 wrote to memory of 5100	1384	cmd.exe	ROUTE.EXE
PID 1384 wrote to memory of 2780	1384	cmd.exe	netsh.exe
PID 1384 wrote to memory of 2780	1384	cmd.exe	netsh.exe
PID 1384 wrote to memory of 4948	1384	cmd.exe	systeminfo.exe
PID 1384 wrote to memory of 4948	1384	cmd.exe	systeminfo.exe
PID 1384 wrote to memory of 3812	1384	cmd.exe	tasklist.exe
PID 1384 wrote to memory of 3812	1384	cmd.exe	tasklist.exe
PID 1384 wrote to memory of 2184	1384	cmd.exe	net.exe
PID 1384 wrote to memory of 2184	1384	cmd.exe	net.exe
PID 2184 wrote to memory of 4324	2184	net.exe	net1.exe
PID 2184 wrote to memory of 4324	2184	net.exe	net1.exe
PID 1384 wrote to memory of 2448	1384	cmd.exe	net.exe
PID 1384 wrote to memory of 2448	1384	cmd.exe	net.exe
PID 2448 wrote to memory of 1452	2448	net.exe	net1.exe
PID 2448 wrote to memory of 1452	2448	net.exe	net1.exe
PID 1384 wrote to memory of 4476	1384	cmd.exe	net.exe
PID 1384 wrote to memory of 4476	1384	cmd.exe	net.exe
PID 4476 wrote to memory of 3188	4476	net.exe	net1.exe
PID 4476 wrote to memory of 3188	4476	net.exe	net1.exe
PID 1384 wrote to memory of 4568	1384	cmd.exe	net.exe
PID 1384 wrote to memory of 4568	1384	cmd.exe	net.exe
PID 4568 wrote to memory of 4432	4568	net.exe	net1.exe
PID 4568 wrote to memory of 4432	4568	net.exe	net1.exe
PID 1384 wrote to memory of 2460	1384	cmd.exe	net.exe
PID 1384 wrote to memory of 2460	1384	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe
"C:\Users\Admin\AppData\Local\Temp\1c78293ce610b259ffa159316ffc8644ef749c904c8979789a9de2bd16744f3a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4668

C:\Users\Admin\AppData\Local\Temp\D987.exe
C:\Users\Admin\AppData\Local\Temp\D987.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3700

C:\Users\Admin\AppData\Local\Temp\1180.exe
C:\Users\Admin\AppData\Local\Temp\1180.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:32

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:5036

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:1520

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:4036

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:1236

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3048

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:4172

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:4316

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:4388

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3548

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:1604

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:2832

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:5048

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:2300

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:5100

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:2780

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:4948

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3812

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:4324

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:1452

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:3188

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:4432

C:\Windows\system32\net.exe
net use
2⤵
PID:2460

C:\Windows\system32\net.exe
net group
2⤵
PID:484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:2076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1180.exe
Filesize
304KB

MD5
610212ba55d4fe4580df7c4770b7ba04

SHA1
c1ab6b9e16372811b5e7b1050688b090d4bee47e

SHA256
021def3f02ddcf8a426a317bd1fdcab56035ac1a19a734e7f5a457c932a3766e

SHA512
c39b69a9c85d4bc0d15c7704bdc9b0fd5e93d7ef0138a2f808810f1eeda2bdda846e4aef4a313f311967cad6962bf70074ab7be8aedfb4eb1bf38567bd0ed892

Download Submit
C:\Users\Admin\AppData\Local\Temp\1180.exe
Filesize
304KB

MD5
610212ba55d4fe4580df7c4770b7ba04

SHA1
c1ab6b9e16372811b5e7b1050688b090d4bee47e

SHA256
021def3f02ddcf8a426a317bd1fdcab56035ac1a19a734e7f5a457c932a3766e

SHA512
c39b69a9c85d4bc0d15c7704bdc9b0fd5e93d7ef0138a2f808810f1eeda2bdda846e4aef4a313f311967cad6962bf70074ab7be8aedfb4eb1bf38567bd0ed892

Download Submit
C:\Users\Admin\AppData\Local\Temp\D987.exe
Filesize
303KB

MD5
ced18d0a074555e21af53fa202550dad

SHA1
a68547f20e7936600f3cc473015165651ccdde7f

SHA256
b57d0b43e757d20edf267b06160519576b8d0acc8df41c152c0a9d91b7e1018e

SHA512
10b790ab52fa756323654f3bd9f162076e438382cfbe5c9789b36bfeb88b0f42f82e7beffda777d6f5a4f7aaf107373d948ca56de9a1fec49d50d1d86b56544a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D987.exe
Filesize
303KB

MD5
ced18d0a074555e21af53fa202550dad

SHA1
a68547f20e7936600f3cc473015165651ccdde7f

SHA256
b57d0b43e757d20edf267b06160519576b8d0acc8df41c152c0a9d91b7e1018e

SHA512
10b790ab52fa756323654f3bd9f162076e438382cfbe5c9789b36bfeb88b0f42f82e7beffda777d6f5a4f7aaf107373d948ca56de9a1fec49d50d1d86b56544a

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/32-146-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/32-144-0x0000000000693000-0x00000000006A4000-memory.dmp

Filesize
68KB

Download
memory/32-145-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/32-141-0x0000000000000000-mapping.dmp

Download
memory/484-179-0x0000000000000000-mapping.dmp

Download
memory/1236-155-0x0000000000000000-mapping.dmp

Download
memory/1384-149-0x0000000000000000-mapping.dmp

Download
memory/1432-151-0x0000000000000000-mapping.dmp

Download
memory/1452-172-0x0000000000000000-mapping.dmp

Download
memory/1520-153-0x0000000000000000-mapping.dmp

Download
memory/1604-161-0x0000000000000000-mapping.dmp

Download
memory/2076-180-0x0000000000000000-mapping.dmp

Download
memory/2184-169-0x0000000000000000-mapping.dmp

Download
memory/2300-164-0x0000000000000000-mapping.dmp

Download
memory/2448-171-0x0000000000000000-mapping.dmp

Download
memory/2460-177-0x0000000000000000-mapping.dmp

Download
memory/2724-148-0x0000000008E20000-0x0000000008E2F000-memory.dmp

Filesize
60KB

Download
memory/2724-140-0x0000000005760000-0x0000000005776000-memory.dmp

Filesize
88KB

Download
memory/2724-133-0x0000000001470000-0x0000000001486000-memory.dmp

Filesize
88KB

Download
memory/2724-147-0x0000000008D60000-0x0000000008D76000-memory.dmp

Filesize
88KB

Download
memory/2780-166-0x0000000000000000-mapping.dmp

Download
memory/2832-162-0x0000000000000000-mapping.dmp

Download
memory/3048-156-0x0000000000000000-mapping.dmp

Download
memory/3188-174-0x0000000000000000-mapping.dmp

Download
memory/3548-160-0x0000000000000000-mapping.dmp

Download
memory/3700-134-0x0000000000000000-mapping.dmp

Download
memory/3700-137-0x00000000007B3000-0x00000000007C3000-memory.dmp

Filesize
64KB

Download
memory/3700-138-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/3700-139-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3812-168-0x0000000000000000-mapping.dmp

Download
memory/4036-154-0x0000000000000000-mapping.dmp

Download
memory/4172-157-0x0000000000000000-mapping.dmp

Download
memory/4316-158-0x0000000000000000-mapping.dmp

Download
memory/4324-170-0x0000000000000000-mapping.dmp

Download
memory/4388-159-0x0000000000000000-mapping.dmp

Download
memory/4432-176-0x0000000000000000-mapping.dmp

Download
memory/4476-173-0x0000000000000000-mapping.dmp

Download
memory/4568-175-0x0000000000000000-mapping.dmp

Download
memory/4656-150-0x0000000000000000-mapping.dmp

Download
memory/4668-130-0x00000000004C2000-0x00000000004D3000-memory.dmp

Filesize
68KB

Download
memory/4668-132-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4668-131-0x0000000000490000-0x0000000000499000-memory.dmp

Filesize
36KB

Download
memory/4948-167-0x0000000000000000-mapping.dmp

Download
memory/5036-152-0x0000000000000000-mapping.dmp

Download
memory/5048-163-0x0000000000000000-mapping.dmp

Download
memory/5100-165-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads