glupteba | 4a49e8e1e9dfc489ad021bd9c0ce00dfc43a59b202a0abca95d29f4a56a6bee7

Analysis

max time kernel
4s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 13:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a49e8e1e9dfc489ad021bd9c0ce00dfc43a59b202a0abca95d29f4a56a6bee7.exe
Size

4.2MB
MD5

45035aa4e410a118fc3b1a99442b3707
SHA1

5161db120a2afb5da3e280fe3e2f2137362505ae
SHA256

4a49e8e1e9dfc489ad021bd9c0ce00dfc43a59b202a0abca95d29f4a56a6bee7
SHA512

823ee845372402d6f67963236ea7edd3d59dc67c0bbe4c5817270b980d8caee6f0f84f8d07fbebba04b88c5f2df1e66596dee6c3a0643c5376a303a049905093
SSDEEP

98304:amXHUlT9cIh0LS4r7UEvP4rjFs2HGiy8tvwmqf7SOA9:bp0x4rQJrZs4GL2vwhs9

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

resource	yara_rule
behavioral2/memory/1220-134-0x0000000003150000-0x0000000003A3B000-memory.dmp	family_glupteba
behavioral2/memory/1220-171-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1220-180-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1332-264-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3672-347-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4560	netsh.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023174-351.dat	upx
behavioral2/files/0x0007000000023174-350.dat	upx
behavioral2/files/0x0007000000023174-352.dat	upx
behavioral2/memory/3496-353-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3700-354-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3700-360-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x001400000001db15-373.dat	upx
behavioral2/files/0x001400000001db15-374.dat	upx
behavioral2/memory/3700-376-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2468-375-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral2/memory/2468-378-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral2/memory/2468-380-0x0000000000400000-0x0000000000C25000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
316	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
668	1220	WerFault.exe	20
3768	1332	WerFault.exe	88

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4680	schtasks.exe
848	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4a49e8e1e9dfc489ad021bd9c0ce00dfc43a59b202a0abca95d29f4a56a6bee7.exe
"C:\Users\Admin\AppData\Local\Temp\4a49e8e1e9dfc489ad021bd9c0ce00dfc43a59b202a0abca95d29f4a56a6bee7.exe"
1⤵
PID:1220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\4a49e8e1e9dfc489ad021bd9c0ce00dfc43a59b202a0abca95d29f4a56a6bee7.exe
  "C:\Users\Admin\AppData\Local\Temp\4a49e8e1e9dfc489ad021bd9c0ce00dfc43a59b202a0abca95d29f4a56a6bee7.exe"
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2996
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:3672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3444
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3376
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:3032
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:848
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:3496
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:1300
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:316
  - - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      4⤵
      PID:2468
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        5⤵
        
        PID:2620
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        5⤵
        
        PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 800
    3⤵
    - Program crash
    PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 860
  2⤵
  - Program crash
  PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1220 -ip 1220
1⤵
PID:4240

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1332 -ip 1332
1⤵
PID:4980

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_makmfw20.0bu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
1.4MB

MD5
e5f1aebf79c2d3e9fe8cd8bcdcb592f0

SHA1
06fc3e96625ea2b509b8be5d1e2a2e752912cca1

SHA256
d2a733f734af0e62d958e6148846aa262a0187acf4f7ac0f0322cc057da4f004

SHA512
fa82bfb2025438f6d274bfbd40a892cf11fcb6ee0b53c489730d9cf9193864b72e8adf70e3ed388719d247891d4f7284f83e99c91479cb257c062269c6a27589

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
923KB

MD5
4bf5da1261be7e6c2ec1c54a47755724

SHA1
5880e37bc924526221319f3391945b7ed3aeb8d1

SHA256
d11521db16d84cf9f9edd76ec41ff6b971298d436dcd13b39e8908ae07f592e1

SHA512
169aa23f9442117c79f84aa9a03ef7d3d53157cf2f071886ec5c900b00beae0926d0413e1acce813b4170ca574429e0f94822eb0c18fca3b76258e79522c33ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
35c540f4f12f52402bef0d10cd15b9b0

SHA1
b228549dc878c739db77640e8ce66e4f4ab24a9d

SHA256
4c2458cf4e51d4df42c865e2e9f27c99ea5baa6a286443731b42f054c53bdba7

SHA512
c67ad0765ec6482ed827ef303172806b70b18bcbc4ed53d5d59ea7e04ae34e9869dc95df16108408351a125888e342c6b530ebb637a246bd9cec327ef91ea30a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
cb9c04569f5342b3ff337e14106de1b9

SHA1
718756f7a184a534770cb87993e349c28dad23e9

SHA256
70d6f728b491ef6eb69518c443a0b5319ee202b2e88ec8d255919951fc92e1e8

SHA512
1897b4a4dbce0963243d8a832483ee67871c11f61d6a572982359292c5d04c400902ce8db1a31dd8f9dabebf9249468ddfba90454ca7bf0d9e05179b392606b4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8b943771ee035299f3233d3a77362d80

SHA1
e3d323b0e22bee02ecdd8612f3c88f35b5c12398

SHA256
15a7236590b6e0fd7417be466a288c2f0663eb7958acaf8e53182627e05405f7

SHA512
f3445cf5485dedccf268f7cb4ac21d9b9c4d60fe6e2ebaba38ccb8eac5e395fa0f3f368e245eab80ce4baed15bd700f027a8ce376bc87a38d329c5be85bd313b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
551ecffde91c1413f74f6fecb20f2aeb

SHA1
e109da7ffd5acf8af1b6befac0f887bd80e5ca24

SHA256
f79885b13f5b09da86c388ec09948a472b9fa06e9979d5ac4f1ab7ffe1d31fe4

SHA512
97fa1f8648f7887a25e8a193813d9fb1107aed77088b1c8f5070e3aec8a86a7ca0b5f8cd981052537d98fb39ea5a8c9d0b4ebbbc39d1f3ff8afeec154af588d2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0475f543c3e5d1ca873316ee6d30b649

SHA1
07fc4deee88e6d37d757e41113fd55737d882e0a

SHA256
76620795514989bf874673228eb56b3d829060d88428b8f1363986e79c7dadfb

SHA512
653c496f7a9872781c8fdee7f3180893272ba42c310a3e0e749a532dc0a8fdd0f709cc14d7b304c46203f450d3ecab4f5d878a1fdb66b8c6d824c9da778fa24e

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
45035aa4e410a118fc3b1a99442b3707

SHA1
5161db120a2afb5da3e280fe3e2f2137362505ae

SHA256
4a49e8e1e9dfc489ad021bd9c0ce00dfc43a59b202a0abca95d29f4a56a6bee7

SHA512
823ee845372402d6f67963236ea7edd3d59dc67c0bbe4c5817270b980d8caee6f0f84f8d07fbebba04b88c5f2df1e66596dee6c3a0643c5376a303a049905093

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
45035aa4e410a118fc3b1a99442b3707

SHA1
5161db120a2afb5da3e280fe3e2f2137362505ae

SHA256
4a49e8e1e9dfc489ad021bd9c0ce00dfc43a59b202a0abca95d29f4a56a6bee7

SHA512
823ee845372402d6f67963236ea7edd3d59dc67c0bbe4c5817270b980d8caee6f0f84f8d07fbebba04b88c5f2df1e66596dee6c3a0643c5376a303a049905093

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1008-175-0x00000000079D0000-0x00000000079EA000-memory.dmp

Filesize
104KB

Download
memory/1008-154-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1008-170-0x0000000007870000-0x000000000787A000-memory.dmp

Filesize
40KB

Download
memory/1008-172-0x000000007F770000-0x000000007F780000-memory.dmp

Filesize
64KB

Download
memory/1008-135-0x0000000004C20000-0x0000000004C56000-memory.dmp

Filesize
216KB

Download
memory/1008-173-0x0000000007930000-0x00000000079C6000-memory.dmp

Filesize
600KB

Download
memory/1008-174-0x00000000078D0000-0x00000000078DE000-memory.dmp

Filesize
56KB

Download
memory/1008-137-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1008-176-0x0000000007910000-0x0000000007918000-memory.dmp

Filesize
32KB

Download
memory/1008-138-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/1008-169-0x0000000007720000-0x000000000773E000-memory.dmp

Filesize
120KB

Download
memory/1008-158-0x0000000070B00000-0x0000000070B4C000-memory.dmp

Filesize
304KB

Download
memory/1008-157-0x0000000007740000-0x0000000007772000-memory.dmp

Filesize
200KB

Download
memory/1008-155-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/1008-156-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/1008-159-0x0000000070CA0000-0x0000000070FF4000-memory.dmp

Filesize
3.3MB

Download
memory/1008-153-0x00000000074F0000-0x0000000007566000-memory.dmp

Filesize
472KB

Download
memory/1008-136-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1008-152-0x0000000007350000-0x0000000007394000-memory.dmp

Filesize
272KB

Download
memory/1008-139-0x00000000052E0000-0x0000000005302000-memory.dmp

Filesize
136KB

Download
memory/1008-140-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/1008-141-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/1008-151-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/1220-134-0x0000000003150000-0x0000000003A3B000-memory.dmp

Filesize
8.9MB

Download
memory/1220-180-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1220-171-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1300-231-0x000000007EFE0000-0x000000007EFF0000-memory.dmp

Filesize
64KB

Download
memory/1300-230-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/1300-220-0x00000000713A0000-0x00000000716F4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-219-0x0000000070C00000-0x0000000070C4C000-memory.dmp

Filesize
304KB

Download
memory/1300-217-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/1332-264-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1720-190-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/1720-204-0x000000007FD30000-0x000000007FD40000-memory.dmp

Filesize
64KB

Download
memory/1720-194-0x00000000713C0000-0x0000000071714000-memory.dmp

Filesize
3.3MB

Download
memory/1720-193-0x0000000070C00000-0x0000000070C4C000-memory.dmp

Filesize
304KB

Download
memory/1720-192-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/1720-191-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/2468-375-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/2468-378-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/2468-380-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/2996-256-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/2996-244-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/2996-257-0x000000007EFC0000-0x000000007EFD0000-memory.dmp

Filesize
64KB

Download
memory/2996-245-0x0000000070C00000-0x0000000070C4C000-memory.dmp

Filesize
304KB

Download
memory/2996-246-0x00000000713A0000-0x00000000716F4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-243-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/3148-329-0x0000000070C00000-0x0000000070F54000-memory.dmp

Filesize
3.3MB

Download
memory/3148-327-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3148-328-0x0000000070A80000-0x0000000070ACC000-memory.dmp

Filesize
304KB

Download
memory/3148-339-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3148-340-0x000000007F690000-0x000000007F6A0000-memory.dmp

Filesize
64KB

Download
memory/3148-326-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3444-302-0x0000000070A80000-0x0000000070ACC000-memory.dmp

Filesize
304KB

Download
memory/3444-300-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3444-301-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3444-314-0x000000007F6A0000-0x000000007F6B0000-memory.dmp

Filesize
64KB

Download
memory/3444-313-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3444-303-0x0000000070C00000-0x0000000070F54000-memory.dmp

Filesize
3.3MB

Download
memory/3496-353-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3672-369-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3672-377-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3672-357-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3672-359-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3672-347-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3672-361-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3672-363-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3672-365-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3672-367-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3672-355-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3700-376-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3700-354-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3700-360-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4588-265-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4588-277-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4588-276-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4588-278-0x0000000070B60000-0x0000000070BAC000-memory.dmp

Filesize
304KB

Download
memory/4588-279-0x0000000071300000-0x0000000071654000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads