smokeloader | 78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010

General

Target

78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe
Size

300KB
MD5

fc87209b84bf6633891b3b326c439fbc
SHA1

15db6ca92e03ab147dcd713190901a891823d67f
SHA256

78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010
SHA512

a1d329fcfd82ee558bcaffe1f63351e62b147caaa3580477a7d2b05fdcdeeb1f2e9cf5c7e2de48b16440fa0bc39ff62a6b75175e50c57c6f25036f70eebb1c0f
SSDEEP

3072:ClNib6bhxLKVXRGXpf6aCLyKo3SW1+YmNAI917EquQjiMTE5sThCgafj:CGqxLQk5fGL1oiO+YmJduQj9PTwga

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4868-133-0x00000000005E0000-0x00000000005E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

53 4956 rundll32.exe
58 4956 rundll32.exe
73 4956 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

E890.exe

pid process

448 E890.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4956 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4956 set thread context of 4816 4956 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3792 448 WerFault.exe E890.exe

flow	pid	process
53	4956	rundll32.exe
58	4956	rundll32.exe
73	4956	rundll32.exe

pid	process
448	E890.exe

pid	process
4956	rundll32.exe

description	pid	process	target process
PID 4956 set thread context of 4816	4956	rundll32.exe	rundll32.exe

pid	pid_target	process	target process
3792	448	WerFault.exe	E890.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000465665a9100054656d7000003a0009000400efbe6b55586c46566aa92e0000000000000000000000000000000000000000000000000012a60400540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2644

pid	process
2644

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe

pid	process
4868	78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe
4868	78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2644
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe

pid process

4868 78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe

pid	process
2644

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4816 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2644
2644
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2644

pid	process
4816	rundll32.exe

pid	process
2644
2644

pid	process
2644

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

E890.exerundll32.exe

description	pid	process	target process
PID 2644 wrote to memory of 448	2644		E890.exe
PID 2644 wrote to memory of 448	2644		E890.exe
PID 2644 wrote to memory of 448	2644		E890.exe
PID 448 wrote to memory of 4956	448	E890.exe	rundll32.exe
PID 448 wrote to memory of 4956	448	E890.exe	rundll32.exe
PID 448 wrote to memory of 4956	448	E890.exe	rundll32.exe
PID 4956 wrote to memory of 4816	4956	rundll32.exe	rundll32.exe
PID 4956 wrote to memory of 4816	4956	rundll32.exe	rundll32.exe
PID 4956 wrote to memory of 4816	4956	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe
"C:\Users\Admin\AppData\Local\Temp\78cc1ac6964aefbb47531da66d2a2284a801e7dd555413468f975eb713569010.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4868

C:\Users\Admin\AppData\Local\Temp\E890.exe
C:\Users\Admin\AppData\Local\Temp\E890.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24025
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 512
2⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 448 -ip 448
1⤵
PID:4952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E890.exe
Filesize
3.7MB

MD5
1b8fcbd3a720af02aad4f568669a2344

SHA1
4e1b76abae27ce57cd9c643cbd4920706c3aa919

SHA256
51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145

SHA512
ae235fc95656d82eaaa8ac184a73b1a1571a1f1b4a7ca88f2e3c952a639170dafd36ecbd0bcfeffdf60ef9067b03835d8e560124221ae05a76ef1623a49b6a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\E890.exe
Filesize
3.7MB

MD5
1b8fcbd3a720af02aad4f568669a2344

SHA1
4e1b76abae27ce57cd9c643cbd4920706c3aa919

SHA256
51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145

SHA512
ae235fc95656d82eaaa8ac184a73b1a1571a1f1b4a7ca88f2e3c952a639170dafd36ecbd0bcfeffdf60ef9067b03835d8e560124221ae05a76ef1623a49b6a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
060e802fbd0a7bf9ddefaf24ff82d81f

SHA1
1ba90716bd96b5e4239c6c013feaf3471c1d478a

SHA256
d5de79d5e3d982be1c5ad3d7c385c1a111b5f91cb5978dfb74e79d685971918a

SHA512
a4f7a160e187366b451d85421b1ba2e432b797948e415e907a253dd3dc001c8b0f8a301fd0e64b296f23bbff84cf4db9ae0a81c634396d0196c3db4ee3f8d998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
060e802fbd0a7bf9ddefaf24ff82d81f

SHA1
1ba90716bd96b5e4239c6c013feaf3471c1d478a

SHA256
d5de79d5e3d982be1c5ad3d7c385c1a111b5f91cb5978dfb74e79d685971918a

SHA512
a4f7a160e187366b451d85421b1ba2e432b797948e415e907a253dd3dc001c8b0f8a301fd0e64b296f23bbff84cf4db9ae0a81c634396d0196c3db4ee3f8d998

Download Submit
memory/448-136-0x0000000000000000-mapping.dmp

Download
memory/448-139-0x00000000027AC000-0x0000000002B24000-memory.dmp

Filesize
3.5MB

Download
memory/448-140-0x0000000002B30000-0x0000000003006000-memory.dmp

Filesize
4.8MB

Download
memory/448-141-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/448-145-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4816-159-0x0000000000830000-0x0000000000AC1000-memory.dmp

Filesize
2.6MB

Download
memory/4816-156-0x0000022F315B0000-0x0000022F316F0000-memory.dmp

Filesize
1.2MB

Download
memory/4816-160-0x0000022F2FB60000-0x0000022F2FE03000-memory.dmp

Filesize
2.6MB

Download
memory/4816-155-0x00007FF63B236890-mapping.dmp

Download
memory/4816-157-0x0000022F315B0000-0x0000022F316F0000-memory.dmp

Filesize
1.2MB

Download
memory/4868-134-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4868-132-0x000000000060E000-0x0000000000623000-memory.dmp

Filesize
84KB

Download
memory/4868-133-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4868-135-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4956-146-0x0000000003E70000-0x00000000049BE000-memory.dmp

Filesize
11.3MB

Download
memory/4956-151-0x0000000004A80000-0x0000000004BC0000-memory.dmp

Filesize
1.2MB

Download
memory/4956-152-0x0000000004A80000-0x0000000004BC0000-memory.dmp

Filesize
1.2MB

Download
memory/4956-153-0x0000000004A80000-0x0000000004BC0000-memory.dmp

Filesize
1.2MB

Download
memory/4956-150-0x0000000004A80000-0x0000000004BC0000-memory.dmp

Filesize
1.2MB

Download
memory/4956-154-0x0000000004A80000-0x0000000004BC0000-memory.dmp

Filesize
1.2MB

Download
memory/4956-149-0x0000000004A80000-0x0000000004BC0000-memory.dmp

Filesize
1.2MB

Download
memory/4956-148-0x0000000003E70000-0x00000000049BE000-memory.dmp

Filesize
11.3MB

Download
memory/4956-158-0x0000000004AF9000-0x0000000004AFB000-memory.dmp

Filesize
8KB

Download
memory/4956-147-0x0000000003E70000-0x00000000049BE000-memory.dmp

Filesize
11.3MB

Download
memory/4956-142-0x0000000000000000-mapping.dmp

Download
memory/4956-161-0x0000000003E70000-0x00000000049BE000-memory.dmp

Filesize
11.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads