smokeloader | 2a6299dfcbcf3186ded295395c7028d651ff178df40d587b531b6bc25f2e3d3f

General

Target

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Size

307KB
MD5

0abe50c1509136bf62d2184ab439e7a5
SHA1

722a7e2a0dd66f506ba93d24946b8bf504b100c0
SHA256

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
SHA512

0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
SSDEEP

6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4304-134-0x0000000000BA0000-0x0000000000BA9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

45 5080 rundll32.exe
57 5080 rundll32.exe
58 5080 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

4E.exe

pid process

1544 4E.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5080 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 5080 set thread context of 1500 5080 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3344 1544 WerFault.exe 4E.exe

flow	pid	process
45	5080	rundll32.exe
57	5080	rundll32.exe
58	5080	rundll32.exe

pid	process
1544	4E.exe

pid	process
5080	rundll32.exe

description	pid	process	target process
PID 5080 set thread context of 1500	5080	rundll32.exe	rundll32.exe

pid	pid_target	process	target process
3344	1544	WerFault.exe	4E.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000006e557da4100054656d7000003a0009000400efbe0c551d9c6e5584a42e000000000000000000000000000000000000000000000000005342c900540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2864

pid	process
2864

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe

pid	process
4304	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
4304	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2864
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe

pid process

4304 db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe

pid	process
2864

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1500 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2864
2864

pid	process
1500	rundll32.exe

pid	process
2864
2864

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4E.exerundll32.exe

description	pid	process	target process
PID 2864 wrote to memory of 1544	2864		4E.exe
PID 2864 wrote to memory of 1544	2864		4E.exe
PID 2864 wrote to memory of 1544	2864		4E.exe
PID 1544 wrote to memory of 5080	1544	4E.exe	rundll32.exe
PID 1544 wrote to memory of 5080	1544	4E.exe	rundll32.exe
PID 1544 wrote to memory of 5080	1544	4E.exe	rundll32.exe
PID 5080 wrote to memory of 1500	5080	rundll32.exe	rundll32.exe
PID 5080 wrote to memory of 1500	5080	rundll32.exe	rundll32.exe
PID 5080 wrote to memory of 1500	5080	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
"C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4304

C:\Users\Admin\AppData\Local\Temp\4E.exe
C:\Users\Admin\AppData\Local\Temp\4E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 16327
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 500
2⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1544 -ip 1544
1⤵
PID:4228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4E.exe
Filesize
3.0MB

MD5
a6809a0da3ac7da364c708f781161cf6

SHA1
e68f010ad14d7f00890c755a3ec5135027b355e4

SHA256
c40e7bef8854ab8d7f96917ca4650bc04915c68837b5459565c3bec26db45b84

SHA512
7eeb9fb194121b61259efe1f14b8471b06e8a1817ce7ca8ddb2101d6bbfcb327ecd384207c987e1e130a61a32be54198013e8a490bf61afd6d53d9f0b3e26dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E.exe
Filesize
3.0MB

MD5
a6809a0da3ac7da364c708f781161cf6

SHA1
e68f010ad14d7f00890c755a3ec5135027b355e4

SHA256
c40e7bef8854ab8d7f96917ca4650bc04915c68837b5459565c3bec26db45b84

SHA512
7eeb9fb194121b61259efe1f14b8471b06e8a1817ce7ca8ddb2101d6bbfcb327ecd384207c987e1e130a61a32be54198013e8a490bf61afd6d53d9f0b3e26dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll
Filesize
4.3MB

MD5
e57c417c9dd87946ef9bdca4919d010f

SHA1
d5733fe5d5d93a2492fad98dd20c2c7b1c6220f2

SHA256
54819bc7a9e2f302d27ad904ff35fd22d5cb77b7cf391fb7dee968165b72cb0f

SHA512
c51f7ce0ffce748e1a2042ace2224f176ae7ad78334a5e9be443e69c48399dd94fab480c1321b8a0771b86d3cf89973486e9a87edd174ffdc1738755e8eb5d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll
Filesize
4.3MB

MD5
e57c417c9dd87946ef9bdca4919d010f

SHA1
d5733fe5d5d93a2492fad98dd20c2c7b1c6220f2

SHA256
54819bc7a9e2f302d27ad904ff35fd22d5cb77b7cf391fb7dee968165b72cb0f

SHA512
c51f7ce0ffce748e1a2042ace2224f176ae7ad78334a5e9be443e69c48399dd94fab480c1321b8a0771b86d3cf89973486e9a87edd174ffdc1738755e8eb5d8b

Download Submit
memory/1500-163-0x00000250B1B90000-0x00000250B1E33000-memory.dmp

Filesize
2.6MB

Download
memory/1500-159-0x00000250B35E0000-0x00000250B3720000-memory.dmp

Filesize
1.2MB

Download
memory/1500-160-0x00000250B35E0000-0x00000250B3720000-memory.dmp

Filesize
1.2MB

Download
memory/1500-162-0x0000000000810000-0x0000000000AA2000-memory.dmp

Filesize
2.6MB

Download
memory/1500-158-0x00007FF6CE666890-mapping.dmp

Download
memory/1544-137-0x0000000000000000-mapping.dmp

Download
memory/1544-142-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/1544-141-0x0000000002A60000-0x0000000002D61000-memory.dmp

Filesize
3.0MB

Download
memory/1544-140-0x0000000000DFC000-0x00000000010BF000-memory.dmp

Filesize
2.8MB

Download
memory/1544-147-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/4304-136-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/4304-135-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/4304-133-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/4304-134-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

Filesize
36KB

Download
memory/5080-149-0x00000000039B0000-0x000000000453C000-memory.dmp

Filesize
11.5MB

Download
memory/5080-152-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/5080-153-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/5080-154-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/5080-155-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/5080-156-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/5080-157-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/5080-151-0x00000000039B0000-0x000000000453C000-memory.dmp

Filesize
11.5MB

Download
memory/5080-150-0x00000000039B0000-0x000000000453C000-memory.dmp

Filesize
11.5MB

Download
memory/5080-148-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/5080-146-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/5080-161-0x0000000004679000-0x000000000467B000-memory.dmp

Filesize
8KB

Download
memory/5080-143-0x0000000000000000-mapping.dmp

Download
memory/5080-164-0x00000000039B0000-0x000000000453C000-memory.dmp

Filesize
11.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads