glupteba | e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46

Analysis

max time kernel
4s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe
Size

4.2MB
MD5

11ab111ec46b24ac0e8822e3f1a88ffe
SHA1

80ae5ba81f6edab19dd3eefdab3de31ffd252ba0
SHA256

e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46
SHA512

08b7b061b32de65126bd22c8e04a917332c78e8fb77b660e35ebccf5cdfd5fbd07fb7f76efbb221da0f2cdc5a279aac6a26e8c0749b6dd862a9791da1b7274cb
SSDEEP

98304:eRm1FI4Ofs4hghp/MO0myowzLWwPA6QaCj20M9u8R69Afm/Q:km0lfCbR/wzqGAbaCjcQC

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral2/memory/4936-134-0x0000000002DC0000-0x00000000036AB000-memory.dmp	family_glupteba
behavioral2/memory/4936-179-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3520	netsh.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023110-347.dat	upx
behavioral2/files/0x0008000000023110-346.dat	upx
behavioral2/files/0x0008000000023110-348.dat	upx
behavioral2/memory/5108-349-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1076-350-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1076-356-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1076-358-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x001300000001db15-364.dat	upx
behavioral2/files/0x001300000001db15-366.dat	upx
behavioral2/memory/264-367-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral2/memory/1076-368-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/264-370-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral2/memory/264-372-0x0000000000400000-0x0000000000C25000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2712	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
228	schtasks.exe
4636	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe
"C:\Users\Admin\AppData\Local\Temp\e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe"
1⤵
PID:4936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe
  "C:\Users\Admin\AppData\Local\Temp\e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe"
  2⤵
  PID:908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1904
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4204
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3756
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3196
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2824
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4636
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:5108
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4012
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      4⤵
      PID:264
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        5⤵
        
        PID:956
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        5⤵
        
        PID:3240

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_parnasnw.kup.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5e6b709bdab63fd6d128f6b85d35f53c

SHA1
03c483486ca42c912740efee3ef1e09011c421c3

SHA256
31a6b280972ed46f34cf31ce399df066011bb4d9cdf4aa20a6f9eb99d2b66e08

SHA512
3401f03ec79d59242c97165450b4e59ebda5720fb9d0678e9e6dd1cd5c5e323132290b3cc45e81b609a5c68a5f46ba8f7539cd75656a6fa4b65a7d2f4a7f1766

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
bffd5c4458688245ec4e580ce6e8da18

SHA1
a9e8a94c785f32507ddfc05edd8e3ee752f80e98

SHA256
86e93b886746d483fd9a70232a2e59c72c7a955c4ebdb5672d6a32d480471819

SHA512
1b18b6fd0b49afbb4a72867057f5cd98e3c9164625b2228a2bcd294cff94385370f6c96bb81b1e35b575cac5e618c70bf5cb28dd562c9878cb0e21f22b273651

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
fb9ee1cb7e2cb3ea9f151c19e612c9f8

SHA1
5bb127c21aef468b79afb8e1ae99cb5e0b5b698c

SHA256
e79ff0182ce4b70696a78e8c3e209ce9014fa6b8af68ac38dc876a6649b88543

SHA512
4a482005e3abe7252595fbe5fe68600634cf45962ea907c110274f864cf0d5fd995eb97a269dbf861e5b3e820e76c4b34330dc85bd7dce8eced50f5af2d1481f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8e65dfdea4a70f82a4b6e9e86ead82c9

SHA1
646d42b1aeaf10782b92de5a9341e96fee22ff10

SHA256
329f1eb8ce84459a3abf89b6e5a4eee826388125a62912ce2070c82a4ab82fc9

SHA512
dd39fbfbe2431493502339989b7c932d5955046b3ad91d60a7adb0a0a8a43cfd048503630673695c5d68ede64cc08a11335c6e0d7cfbac57c282c002a9cd1478

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
79ad5cb28ae9b11b2147e11c8908fe65

SHA1
8df0c3d226b59065379ff6bd82e200638808a0fc

SHA256
3364607441b516ac76ccfce60bd1f5b61a09265b5d181979226bd58f91d62f42

SHA512
d89d00fe63f67a3c7d7155181b4f8c32e839cead0fb1d84cbcfd9a731281461b4baa62b99ba35dccdfbae3e6628b18043c11ee1d5ea2cce9944e50996eba712a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f02a2a85716ac52ce4d99ab948364b6e

SHA1
9608371f18305316aa8995fa3be54f96fccd3ade

SHA256
4f859516ca5062c171f79192909a794b52b9b28be05ed611003814c9da21c898

SHA512
ca7938eba0692967a1cf717e3ddf5f4b7a414ac45dcea4b47ac3c80a143a5a2c01d7f039f2e8121b1e88ad947b463f365244bd21f10d6f718da74c81af8d1fe6

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
11ab111ec46b24ac0e8822e3f1a88ffe

SHA1
80ae5ba81f6edab19dd3eefdab3de31ffd252ba0

SHA256
e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46

SHA512
08b7b061b32de65126bd22c8e04a917332c78e8fb77b660e35ebccf5cdfd5fbd07fb7f76efbb221da0f2cdc5a279aac6a26e8c0749b6dd862a9791da1b7274cb

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/264-372-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/264-370-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/264-367-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/380-353-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/380-359-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/380-357-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/380-355-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/380-351-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/380-365-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/380-369-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/380-338-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/908-259-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1076-358-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1076-356-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1076-350-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1076-368-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1624-215-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1624-217-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1624-218-0x0000000070C00000-0x0000000070C4C000-memory.dmp

Filesize
304KB

Download
memory/1624-219-0x00000000713C0000-0x0000000071714000-memory.dmp

Filesize
3.3MB

Download
memory/1624-229-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/1624-216-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1868-173-0x0000000007FF0000-0x0000000007FFE000-memory.dmp

Filesize
56KB

Download
memory/1868-137-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/1868-158-0x0000000070B00000-0x0000000070B4C000-memory.dmp

Filesize
304KB

Download
memory/1868-159-0x0000000070C80000-0x0000000070FD4000-memory.dmp

Filesize
3.3MB

Download
memory/1868-169-0x0000000007E50000-0x0000000007E6E000-memory.dmp

Filesize
120KB

Download
memory/1868-152-0x0000000006E40000-0x0000000006E84000-memory.dmp

Filesize
272KB

Download
memory/1868-170-0x0000000007FA0000-0x0000000007FAA000-memory.dmp

Filesize
40KB

Download
memory/1868-156-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/1868-151-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/1868-171-0x00000000080B0000-0x0000000008146000-memory.dmp

Filesize
600KB

Download
memory/1868-136-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/1868-135-0x0000000003310000-0x0000000003346000-memory.dmp

Filesize
216KB

Download
memory/1868-172-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/1868-157-0x0000000007E70000-0x0000000007EA2000-memory.dmp

Filesize
200KB

Download
memory/1868-150-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/1868-175-0x0000000008040000-0x0000000008048000-memory.dmp

Filesize
32KB

Download
memory/1868-174-0x0000000008050000-0x000000000806A000-memory.dmp

Filesize
104KB

Download
memory/1868-154-0x0000000008320000-0x000000000899A000-memory.dmp

Filesize
6.5MB

Download
memory/1868-155-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

Filesize
104KB

Download
memory/1868-153-0x0000000007C20000-0x0000000007C96000-memory.dmp

Filesize
472KB

Download
memory/1868-138-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/1868-139-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/1868-140-0x00000000061C0000-0x0000000006226000-memory.dmp

Filesize
408KB

Download
memory/1888-335-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1888-324-0x0000000070A80000-0x0000000070ACC000-memory.dmp

Filesize
304KB

Download
memory/1888-325-0x0000000071210000-0x0000000071564000-memory.dmp

Filesize
3.3MB

Download
memory/1888-336-0x000000007FA80000-0x000000007FA90000-memory.dmp

Filesize
64KB

Download
memory/1888-322-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3196-310-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3196-311-0x000000007EE50000-0x000000007EE60000-memory.dmp

Filesize
64KB

Download
memory/3196-299-0x0000000070A80000-0x0000000070ACC000-memory.dmp

Filesize
304KB

Download
memory/3196-300-0x0000000070C00000-0x0000000070F54000-memory.dmp

Filesize
3.3MB

Download
memory/3196-298-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3196-297-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3604-189-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/3604-192-0x0000000070D90000-0x00000000710E4000-memory.dmp

Filesize
3.3MB

Download
memory/3604-191-0x0000000070C00000-0x0000000070C4C000-memory.dmp

Filesize
304KB

Download
memory/3604-190-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/3756-274-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3756-276-0x0000000071300000-0x0000000071654000-memory.dmp

Filesize
3.3MB

Download
memory/3756-275-0x0000000070B60000-0x0000000070BAC000-memory.dmp

Filesize
304KB

Download
memory/3756-272-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3756-273-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/4204-253-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4204-254-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/4204-243-0x0000000070D80000-0x00000000710D4000-memory.dmp

Filesize
3.3MB

Download
memory/4204-242-0x0000000070C00000-0x0000000070C4C000-memory.dmp

Filesize
304KB

Download
memory/4204-241-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4936-179-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4936-134-0x0000000002DC0000-0x00000000036AB000-memory.dmp

Filesize
8.9MB

Download
memory/5108-349-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads